Page 1 of 1

Feature Req: IKEv2 server and client

Posted: Wed Oct 15, 2014 9:52 pm
by javagg
Please make it possible :D

Re: Feature Req: IKEv2 server and client

Posted: Thu Oct 16, 2014 10:53 am
by mrz
It is planned in ROS v7

Re: Feature Req: IKEv2 server and client

Posted: Thu Oct 16, 2014 1:30 pm
by nz_monkey
It is planned in ROS v7
When is it planned we can test ROS v7 ?

Re: Feature Req: IKEv2 server and client

Posted: Thu Oct 16, 2014 1:48 pm
by mrz
When it's ready :)

Re: Feature Req: IKEv2 server and client

Posted: Thu Oct 16, 2014 2:27 pm
by nz_monkey
When it's ready :)
touché

:)

Re: Feature Req: IKEv2 server and client

Posted: Mon May 04, 2015 11:24 am
by johnryanlee
We are in desperate need of using the Mikrotik as an IKEv2 VPN member. Is there an ETA on this feature?

Re: Feature Req: IKEv2 server and client

Posted: Thu May 07, 2015 1:53 am
by alphil
We have an infrastructure based the mikrotik routers. Now, we need to connect our network with Microsoft Azure Network. Is required to use IKEv2 for establish IPSec tunnel.

We hope that ROSv7 will appear in brief with IKEv2 support.

Thanks.

Re: Feature Req: IKEv2 server and client

Posted: Sat May 16, 2015 10:41 am
by yiannos
+1 here. Many clients need it.

Re: Feature Req: IKEv2 server and client

Posted: Sun May 24, 2015 9:20 pm
by knoor56
Windows Phone 8/8.1 has all but done away with PPTP & LT2P :-(. The only VPN protocol supported on these devices is IKE v2 (what were you thinking Microsoft?), thus the desperation for IKE v2 VPN server in RouterOS. Please add it soon, at least give us an ETA so we know not to waste time on alternate solutions.

Re: Feature Req: IKEv2 server and client

Posted: Fri May 29, 2015 4:13 am
by ziegenberg
Definitely needed! Desperately.

Re: Feature Req: IKEv2 server and client

Posted: Thu Jun 18, 2015 8:12 am
by lorsungcu
Any word on a timeline for ros7? This is needed so badly.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jun 24, 2015 5:50 pm
by mapache
This is needed! Any update for ETA on this feature?

Re: Feature Req: IKEv2 server and client

Posted: Mon Jun 29, 2015 7:09 pm
by cesposito
+1 for IKE v2-----very much needed

Re: Feature Req: IKEv2 server and client

Posted: Sun Aug 02, 2015 8:32 pm
by goodmirek
When it's ready :)
I do not consider that answer by Mikrotik staff as respectful. I do not think it is funny to reply in this way to paying customers.

As I was also in need for IKEv2, I has resolved it with OpenWRT. StrongSwan works well there. You can use any router, not only Mikrotik.

Re: Feature Req: IKEv2 server and client

Posted: Wed Aug 12, 2015 9:38 pm
by gcarvalho
I guess Mikrotik is happy with itself. Mikrotik devices interconnects perfectly with other Mikrotik devices. But we need more than this. And nowadays IKEv2 is imperative. So Mikrotik should make the costumer's priority his priority. Once ROSv7 has not a release date yet and we are committed with clients, we cannot continue telling them that IKEv2 will be in ROSv7 without a date. As this undefined date is too distant, Mikrotik should release IKEv2 still on ROSv6. We can't wait more. Please, hurry up!

Re: Feature Req: IKEv2 server and client

Posted: Thu Aug 13, 2015 4:27 am
by propagandhi
Completely agree. If there's going to be extended delays in getting v7 then Mikrotik need to look at bringing forward some features to the current version.

With such a promising and growing product, it's very important to also not lapse behind current technology.

Re: Feature Req: IKEv2 server and client

Posted: Thu Aug 27, 2015 7:03 am
by StrataNet
+1.

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 12, 2015 3:57 pm
by Aeonikus
Before IKEv2 is stable in ROS7 one can use metarouter and install OpenWRT image and use it for IKEv2 setup.
I know it's not as straightforward as having it supported by mikrotik box itself but I think it will take some time before IKEv2 will be mature enough to be used in production.
Just my 2 cents... :)

Re: Feature Req: IKEv2 server and client

Posted: Sun Nov 29, 2015 11:18 pm
by Argon
+1

IKEv2 is necessary to connect local net to Azure with dynamic routing. I hoped to recommend my customers Mikrotik, but 3 years past, it not supports IKEv2.

Re: Feature Req: IKEv2 server and client

Posted: Fri Feb 19, 2016 4:05 pm
by fernandf
+1
I also need it for connecting to the dynamic gateway in Azure.

Please! ikev2 ASAP.

Re: Feature Req: IKEv2 server and client

Posted: Tue Apr 26, 2016 10:19 am
by lordcoke
+1
It's time for IKEv2

Re: Feature Req: IKEv2 server and client

Posted: Tue Apr 26, 2016 10:40 am
by michas
+1
IKEv2 support would be great

Re: Feature Req: IKEv2 server and client

Posted: Tue Apr 26, 2016 12:04 pm
by sputniki
+1
when does MikroTik implement IKEv2?

Re: Feature Req: IKEv2 server and client

Posted: Tue Apr 26, 2016 1:03 pm
by mrz
As it was mentioned earlier in this topic
ROS v7.

Re: Feature Req: IKEv2 server and client

Posted: Mon May 09, 2016 2:30 am
by irghost
As it was mentioned earlier in this topic
ROS v7.
by mrz » Thu Oct 16, 2014 11:23 am

my grandpa hopes to see ROS7 before he died

when can we test ROS7 with ikev2 server

Re: Feature Req: IKEv2 server and client

Posted: Mon May 23, 2016 1:49 pm
by rerime
As it was mentioned earlier in this topic
ROS v7.
More than one year later...
IKEv2 is very needed. We have infrastructure in Azure, can't use route based vpn ((((

Re: Feature Req: IKEv2 server and client

Posted: Fri Jun 03, 2016 10:39 am
by JimmyNyholm
My 2 Cents is that V7 is a Unicorn.
If one read the forum and all that V7 will fix.... Good Dam... No company in history has ever managed to release such a big overhaul.

IkeV2 is the new standard in almost all communications between organisations. We NEEEEEEEEEEEEEEEEED it.

If not in the V6 branch then release a scaled down R7 Brach with only a work in progress specific feature set. The problem is not that one can't afford another mikrotik box to solve problem as you would need to get that version in a separate system. But then again as the situation is now it is not solvable at all with mikrotik.

Don't come barking with use meta this and that. There is a whole other ton of considerations before deploying a new "other" system.

I honestly like all with mikrotik except this Unicorn V7 crap.

Re: Feature Req: IKEv2 server and client

Posted: Sat Jun 11, 2016 2:42 pm
by Zorro
but every kid knows: unicorns are COOL.
so ROS 7 had to be too ;)

Re: Feature Req: IKEv2 server and client

Posted: Sun Jun 12, 2016 8:05 am
by IntrusDave
IkeV2 is the new standard in almost all communications between organisations. We NEEEEEEEEEEEEEEEEED it.
I work in Healthcare, with more than 250 companies including all of the insurance companies, and 13 hospitals.. Not a single one uses IKEv2. Not even testing it. As far as healthcare and insurance is concerned, IPSec with PFS is still the standard.

Re: Feature Req: IKEv2 server and client

Posted: Mon Jun 20, 2016 6:04 am
by DanielJB
I am also waiting for IKEv2 support from MikroTik, but caught between deploying EdgeRouters with IKEv2 or L2TP+IPSec on Mikrotik.

Re: Feature Req: IKEv2 server and client

Posted: Tue Jun 21, 2016 8:42 pm
by willyfontana
+1 here, also in need of IKEv2.

As many others before me, I'm needing to connect an Azure network with virtual machines to another facility where we have servers. Azure is using IKEv2 and I don't see any way to downgrade it or use another option. I also have an entire network using MikroTik devices and feel reluctant to change products. A new product means a new learning curve, new skills to develop and new problems to discover and solve.

Please MikroTik guys, we're counting on you!

Thank you

Re: Feature Req: IKEv2 server and client

Posted: Wed Jun 22, 2016 12:49 pm
by mrz
Azure works also with IKEv1. So until v7 is released you can set up tunnels with ikev1.

Re: Feature Req: IKEv2 server and client

Posted: Tue Aug 23, 2016 12:26 am
by efterom
When using Azure with multi-site vpn, you need IKE V2 :(

Re: Feature Req: IKEv2 server and client

Posted: Wed Aug 31, 2016 9:43 am
by rascal
+1 for IKEv2 support
What is the planned release date of ROSv7?

Re: Feature Req: IKEv2 server and client

Posted: Thu Sep 15, 2016 6:02 pm
by gcarvalho
I guess ROS v7 with the begged IKEv2 will came just after ROS v6.999. We are still on ROS v6.37, so patience ...

Re: Feature Req: IKEv2 server and client

Posted: Thu Sep 15, 2016 6:08 pm
by mrz
You are so optimistic, maybe it will be v6.9999

Re: Feature Req: IKEv2 server and client

Posted: Thu Sep 15, 2016 6:09 pm
by hci
Apple IOS 10.x just pulled PPTP support. But they support IKEv2 for long time now.

Re: Feature Req: IKEv2 server and client

Posted: Mon Oct 03, 2016 10:52 am
by mbeauverd
Hello !

I need to make many IPv6 IPSEC Tunnels between a datacenter that has an Zywall.
There is only IKEv2 supported for IPv6 tunnels on a Zywall.

So you tell me that I have to buy crappy Zywall to do it ? :(

Any other solutions ?

Re: Feature Req: IKEv2 server and client

Posted: Tue Oct 11, 2016 7:12 pm
by hci
Since Mikrotik does not currently support IKEv2 is there any other inexpensive and easy to setup solution until we get support in Mikrotik?

Re: Feature Req: IKEv2 server and client

Posted: Fri Oct 14, 2016 6:09 pm
by phillipm
+1 It's been over a year now

Re: Feature Req: IKEv2 server and client

Posted: Sat Oct 15, 2016 1:58 pm
by Unic
Yes its realy needed, as you cant change the security or vpn policy from the other end IT Admins and if they are allowed to, I realy dont want to tell them that they have to use IKEv1.

+10
IkeV2 is the new standard in almost all communications between organisations. We NEEEEEEEEEEEEEEEEED it.
I work in Healthcare, with more than 250 companies including all of the insurance companies, and 13 hospitals.. Not a single one uses IKEv2. Not even testing it. As far as healthcare and insurance is concerned, IPSec with PFS is still the standard.
In Germany Healthcare is the most insecureplace. Everytime i work with healtcare i need to throw security out of the window. F.e we need to have local admins on Terminalservers and Clients, IExplorer not higher than 8 with a lot of securitysettings disabled, because of the Healthcaresoftware that works so badly on secured systems (Or the developer does not know to configure it). We even have Windows XP Machines, because drivers are only running on XP for medical machines. In Healthcare in Germany there is no concern about security as long there is no lawbreaking. So we still send sensitive information mostly by fax, as IP/Mail etc aren't secure. Fax over VOIP ? No Problem as long as it is fax.

And long Story short: If you need to place a mikrotik against named product like Fortigate, cisco and so on you cant survive the competition when your device cant meet modern standard like IKEv2 or fully working L2TP/IPSEC. Luckily no one out there realy believe that a modern firewall don't support IKEv2, so this question doesnt pop up in featurerequests ;)

ROS 7 ? Thats the best ive learned for marketing. If you dont have a feature place it in the next major version and slowly move features from RoS 7 timeline to Ros 6, when they are ready. RouterOS is a great base, but i fear that they slowly loose connection to the market.

Re: Feature Req: IKEv2 server and client

Posted: Thu Oct 27, 2016 1:13 pm
by Argon
Please provide the ETA for ROS v7. IKEv2 is critically needed.

Re: Feature Req: IKEv2 server and client

Posted: Fri Oct 28, 2016 10:40 pm
by roginvs
We are waiting for IKEv2 too

Re: Feature Req: IKEv2 server and client

Posted: Sat Oct 29, 2016 8:48 am
by mbeauverd
Please provide the ETA for ROS v7. IKEv2 is critically needed.
+1000

Re: Feature Req: IKEv2 server and client

Posted: Tue Nov 01, 2016 8:40 pm
by Wedge
Hopefully Mikrotik actually reads this...

A customer wants to buy several hundred thousand mikrotik devices... unfortunately the lack of IKEv2 is likely going to mean another device will be used.

They have 1 month to get this done.

+500,000

Re: Feature Req: IKEv2 server and client

Posted: Wed Nov 02, 2016 8:53 am
by klrgirish198117
hi ,

i AM FROM isp I AM USING RB 1036 router of my backbone, can any one help me to resolve my problem,

in My network VPN is not connecting ( cisco )

i tried to apply all rules vpn ports open. even though it not connecting.

can any one suggest how to come out of this issue.

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 03, 2016 11:22 pm
by doneware
What's new in 6.38rc24 (2016-Nov-03 13:01):

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 03, 2016 11:31 pm
by Wedge
What's new in 6.38rc24 (2016-Nov-03 13:01):

!) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only);
!) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only);
That is certainly encouraging, I'll have to test that out.

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 03, 2016 11:41 pm
by hci
Please update how it works for you.

Re: Feature Req: IKEv2 server and client

Posted: Fri Nov 04, 2016 12:07 pm
by vonsete
Amazing ... IKEv2 is essential

Re: Feature Req: IKEv2 server and client

Posted: Fri Nov 04, 2016 12:50 pm
by manbot
That is certainly encouraging, I'll have to test that out.
Can U help with cli setup? I don't have enough knowledge to make it work's...

Re: Feature Req: IKEv2 server and client

Posted: Tue Nov 08, 2016 4:55 pm
by mrz
Hello, where is everybody? There were so many requests that ikev2 is essential. Any feedback?

Re: Feature Req: IKEv2 server and client

Posted: Tue Nov 08, 2016 6:02 pm
by manbot
Hello, where is everybody? There were so many requests that ikev2 is essential. Any feedback?
I'm here... Can I have test cli config for test?
I can return any feedback!

Re: Feature Req: IKEv2 server and client

Posted: Tue Nov 08, 2016 6:26 pm
by mrz
http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth

Still work in progress, but general required config should be clear.

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 10, 2016 3:48 pm
by ziegenberg
Hello, where is everybody? There were so many requests that ikev2 is essential. Any feedback?
I'm happy. It works for site2site.

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 10, 2016 7:09 pm
by irico
I'm trying to establish in a test lab, site 2 site IPSec tunnel with pre-shared key and IKEv2 without success.
The network scheme is like that:
LAN1 - (192.168.160.1/24) CHR1 (10.0.0.1/24) - "routing" - (10.1.0.1/24) CHR2 (192.168.170.1/24) – LAN2

WAN masquerade on CHR1 and CHR2 but no masquerade between LAN1 and LAN2.
No firewall filters. Very basic configuration.

If I configure all for work in IKEv1 (main exchange mode) everything works correct.
When I change exchange mode at both routers to ike2, IPSec can't connect.

CHR1 IPSec config:
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    name=VPN pfs-group=none
/ip ipsec peer
add address=10.1.0.1/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=sha256 \
    nat-traversal=no secret=TEST
/ip ipsec policy
add dst-address=192.168.170.0/24 proposal=VPN sa-dst-address=10.1.0.1 \
    sa-src-address=10.0.0.1 src-address=192.168.160.0/24 tunnel=yes
CHR2 IPSec config:
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
    name=VPN pfs-group=none
/ip ipsec peer
add address=10.0.0.1/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 hash-algorithm=sha256 \
    nat-traversal=no passive=yes secret=TEST
/ip ipsec policy
add dst-address=192.168.160.0/24 proposal=VPN sa-dst-address=10.0.0.1 \
    sa-src-address=10.1.0.1 src-address=192.168.170.0/24 tunnel=yes

CHR1 IPSec log:
Nov/10/2016 17:02:51 ipsec,debug,packet ===
Nov/10/2016 17:02:51 ipsec,debug initiate new phase 1 negotiation: 10.0.0.1[500]<=>10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug begin Base mode.
Nov/10/2016 17:02:51 ipsec,debug,packet new cookie:
Nov/10/2016 17:02:51 ipsec,debug,packet 5e8fc30a7e4f5c87 
Nov/10/2016 17:02:51 ipsec,debug,packet use ID type of IPv4_address
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 132, next type 5
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 8, next type 10
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 24, next type 13
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 16, next type 13
Nov/10/2016 17:02:51 ipsec,debug,packet add payload of len 16, next type 0
Nov/10/2016 17:02:51 ipsec,debug,packet 244 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet src4 10.0.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet 1 times of 244 bytes message will be sent to 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:02:51 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:02:51 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:02:51 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:02:51 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:02:51 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:02:51 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:02:51 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:02:51 ipsec,debug sent phase1 packet 10.0.0.1[500]<=>10.1.0.1[500] 5e8fc30a7e4f5c87:0000000000000000
Nov/10/2016 17:03:01 ipsec,debug,packet 244 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet src4 10.0.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet 1 times of 244 bytes message will be sent to 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:01 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:01 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:01 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:01 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:01 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:01 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:01 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:01 ipsec,debug resent phase1 packet 10.0.0.1[500]<=>10.1.0.1[500] 5e8fc30a7e4f5c87:0000000000000000
Nov/10/2016 17:03:11 ipsec,debug,packet 244 bytes from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet sockname 10.0.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet send packet from 10.0.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet send packet to 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet src4 10.0.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet dst4 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet 1 times of 244 bytes message will be sent to 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:11 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:11 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:11 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:11 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:11 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:11 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:11 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:11 ipsec,debug resent phase1 packet 10.0.0.1[500]<=>10.1.0.1[500] 5e8fc30a7e4f5c87:0000000000000000
CHR2 IPSec log:
Nov/10/2016 17:02:51 ipsec,debug ==========
Nov/10/2016 17:02:51 ipsec,debug 244 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:02:51 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:02:51 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:02:51 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:02:51 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:02:51 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:02:51 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:02:51 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:02:51 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:02:51 ipsec,debug no IKEv1 peer config for 10.0.0.1
Nov/10/2016 17:03:01 ipsec,debug ==========
Nov/10/2016 17:03:01 ipsec,debug 244 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:01 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:01 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:01 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:01 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:01 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:01 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:01 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:01 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:01 ipsec,debug no IKEv1 peer config for 10.0.0.1
Nov/10/2016 17:03:11 ipsec,debug ==========
Nov/10/2016 17:03:11 ipsec,debug 244 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:11 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:11 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:11 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:11 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:11 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:11 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:11 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:11 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:11 ipsec,debug no IKEv1 peer config for 10.0.0.1
Nov/10/2016 17:03:21 ipsec,debug ==========
Nov/10/2016 17:03:21 ipsec,debug 244 bytes message received from 10.0.0.1[500] to 10.1.0.1[500]
Nov/10/2016 17:03:21 ipsec,debug,packet 5e8fc30a 7e4f5c87 00000000 00000000 01100100 00000000 000000f4 05000088
Nov/10/2016 17:03:21 ipsec,debug,packet 00000001 00000001 0000007c 01010003 03000028 01010000 800b0001 000c0004
Nov/10/2016 17:03:21 ipsec,debug,packet 00015180 80010007 800e0100 80030001 80020004 80040002 03000028 02010000
Nov/10/2016 17:03:21 ipsec,debug,packet 800b0001 000c0004 00015180 80010007 800e0080 80030001 80020004 80040002
Nov/10/2016 17:03:21 ipsec,debug,packet 00000024 03010000 800b0001 000c0004 00015180 80010005 80030001 80020004
Nov/10/2016 17:03:21 ipsec,debug,packet 80040002 0a00000c 011101f4 0a000001 0d00001c ae6efbcf e7be99bb 23e20de7
Nov/10/2016 17:03:21 ipsec,debug,packet 5510f1cf d88d743e 0c00fd33 0d000014 12f5f28c 457168a9 702d9fe2 74cc0100
Nov/10/2016 17:03:21 ipsec,debug,packet 00000014 afcad713 68a1f1c9 6b8696fc 77570100
Nov/10/2016 17:03:21 ipsec,debug no IKEv1 peer config for 10.0.0.1

Thanks and sorry for my English.

Re: Feature Req: IKEv2 server and client

Posted: Fri Nov 11, 2016 4:12 pm
by mrz
Please try rc29. If it doesn't work send supout files and logs to support.

Re: Feature Req: IKEv2 server and client

Posted: Fri Nov 11, 2016 4:48 pm
by irico
Please try rc29. If it doesn't work send supout files and logs to support.
Yes! Now it works!!! :D

But... only with sha1 or md5 proposal auth-algo.


UPDATE: I have also been able to establish a VPN connection with Azure using IKEv2. The following week I will do more test with Azure.

Thanks,

Re: Feature Req: IKEv2 server and client

Posted: Fri Nov 11, 2016 8:39 pm
by ropeguru
So I have managed to get ikev2 Phase1 connection made between routeros and a UBNT ERL3.

However, I cannot seem to get the policy working.

Here is my config:
/ip ipsec peer print                  
Flags: X - disabled, D - dynamic 
 0    address=76.27.xxx.xxx/32 passive=no auth-method=pre-shared-key secret="****" generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=no 
      nat-traversal=no hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
      
 /ip ipsec policy print     
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all level=require proposal=default template=yes 

 1 T   group=Group1 src-address=192.168.2.0/24 dst-address=192.168.1.0/24 protocol=all level=unique proposal=default template=yes 

 2 T   group=Group1 src-address=192.168.1.0/24 dst-address=192.168.2.0/24 protocol=all level=unique proposal=default template=yes 

/ip ipsec proposal  print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none 

/ip ipsec remote-peers print
 0 local-address=71.61.xxx.xxx remote-address=76.27.xxx.xxx state=established side=responder established=16m18s     
      
Here is what I see in my log:
13:31:20 ipsec,debug payload seen: SA 
13:31:20 ipsec,debug payload seen: NONCE 
13:31:20 ipsec,debug payload seen: TS_I 
13:31:20 ipsec,debug payload seen: TS_R 
13:31:20 ipsec,debug create child: respond 
13:31:20 ipsec,debug processing payload: NONCE 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug peer wants tunnel mode 
13:31:20 ipsec,debug processing payload: CONFIG 
13:31:20 ipsec,debug payload not found! 
13:31:20 ipsec,debug processing payload: TS_I 
13:31:20 ipsec,debug 192.168.1.56:514 ipproto:17 
13:31:20 ipsec,debug 192.168.1.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: TS_R 
13:31:20 ipsec,debug 192.168.2.129:514 ipproto:17 
13:31:20 ipsec,debug 192.168.2.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: SA 
13:31:20 ipsec,debug IKE Protocol: ESP 
13:31:20 ipsec,debug  proposal #1 
13:31:20 ipsec,debug   enc: aes128-cbc 
13:31:20 ipsec,debug   auth: sha1 
13:31:20 ipsec,debug   esn: off 
13:31:20 ipsec,debug searching for policy 
13:31:20 ipsec,debug policy not found 
13:31:20 ipsec,error no policy found/generated 
Is that subnet line supposed to have "/24/24" in it? Is this an RC bug?

Re: Feature Req: IKEv2 server and client

Posted: Sun Nov 13, 2016 3:53 am
by jimmydone2
Good evening

In my RB951G the IKEv2 option does not appear in IPsec exchange Mode.

Re: Feature Req: IKEv2 server and client

Posted: Sun Nov 13, 2016 11:20 am
by andriys
In my RB951G the IKEv2 option does not appear in IPsec exchange Mode.
Currently, it is only available in the latest RC builds, and only via CLI (command line / terminal).

Re: Feature Req: IKEv2 server and client

Posted: Sun Nov 13, 2016 4:21 pm
by toto99303
Guys, it's working fine with Windows 10 and client certificate.
But not working with iOS or MacOS :/
16:11:29 ipsec,debug payload seen: ID_I
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: ID_R
16:11:29 ipsec,debug payload seen: CONFIG
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: SA
16:11:29 ipsec,debug payload seen: TS_I
16:11:29 ipsec,debug payload seen: TS_R
16:11:29 ipsec,debug ike auth: respond
16:11:29 ipsec,error payload missing: AUTH
16:11:29 ipsec,error EAP not supported
16:11:29 ipsec,debug reply notify: AUTHENTICATION_FAILED
Is there plans to include EAP soon?

Thanks!

Re: Feature Req: IKEv2 server and client

Posted: Mon Nov 14, 2016 7:54 pm
by mrz
So I have managed to get ikev2 Phase1 connection made between routeros and a UBNT ERL3.

However, I cannot seem to get the policy working.

Here is my config:
/ip ipsec peer print                  
Flags: X - disabled, D - dynamic 
 0    address=76.27.xxx.xxx/32 passive=no auth-method=pre-shared-key secret="****" generate-policy=no policy-template-group=default exchange-mode=ike2 send-initial-contact=no 
      nat-traversal=no hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp2048 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 
      
 /ip ipsec policy print     
Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 
 0 TX* group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all level=require proposal=default template=yes 

 1 T   group=Group1 src-address=192.168.2.0/24 dst-address=192.168.1.0/24 protocol=all level=unique proposal=default template=yes 

 2 T   group=Group1 src-address=192.168.1.0/24 dst-address=192.168.2.0/24 protocol=all level=unique proposal=default template=yes 

/ip ipsec proposal  print 
Flags: X - disabled, * - default 
 0  * name="default" auth-algorithms=sha1 enc-algorithms=aes-128-cbc lifetime=30m pfs-group=none 

/ip ipsec remote-peers print
 0 local-address=71.61.xxx.xxx remote-address=76.27.xxx.xxx state=established side=responder established=16m18s     
      
Here is what I see in my log:
13:31:20 ipsec,debug payload seen: SA 
13:31:20 ipsec,debug payload seen: NONCE 
13:31:20 ipsec,debug payload seen: TS_I 
13:31:20 ipsec,debug payload seen: TS_R 
13:31:20 ipsec,debug create child: respond 
13:31:20 ipsec,debug processing payload: NONCE 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug processing payloads: NOTIFY 
13:31:20 ipsec,debug none payloads found! 
13:31:20 ipsec,debug peer wants tunnel mode 
13:31:20 ipsec,debug processing payload: CONFIG 
13:31:20 ipsec,debug payload not found! 
13:31:20 ipsec,debug processing payload: TS_I 
13:31:20 ipsec,debug 192.168.1.56:514 ipproto:17 
13:31:20 ipsec,debug 192.168.1.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: TS_R 
13:31:20 ipsec,debug 192.168.2.129:514 ipproto:17 
13:31:20 ipsec,debug 192.168.2.0/24/24 ipproto:0 
13:31:20 ipsec,debug processing payload: SA 
13:31:20 ipsec,debug IKE Protocol: ESP 
13:31:20 ipsec,debug  proposal #1 
13:31:20 ipsec,debug   enc: aes128-cbc 
13:31:20 ipsec,debug   auth: sha1 
13:31:20 ipsec,debug   esn: off 
13:31:20 ipsec,debug searching for policy 
13:31:20 ipsec,debug policy not found 
13:31:20 ipsec,error no policy found/generated 
Is that subnet line supposed to have "/24/24" in it? Is this an RC bug?

Set generate policy in peer config, if you want policies to be generated automatically. If not then set up static policies. Currently you have only policy templates.

Re: Feature Req: IKEv2 server and client

Posted: Mon Nov 14, 2016 7:57 pm
by mrz
Guys, it's working fine with Windows 10 and client certificate.
But not working with iOS or MacOS :/
16:11:29 ipsec,debug payload seen: ID_I
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: ID_R
16:11:29 ipsec,debug payload seen: CONFIG
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: NOTIFY
16:11:29 ipsec,debug payload seen: SA
16:11:29 ipsec,debug payload seen: TS_I
16:11:29 ipsec,debug payload seen: TS_R
16:11:29 ipsec,debug ike auth: respond
16:11:29 ipsec,error payload missing: AUTH
16:11:29 ipsec,error EAP not supported
16:11:29 ipsec,debug reply notify: AUTHENTICATION_FAILED
Is there plans to include EAP soon?

Thanks!

Currently it works wit Macs with psk and should work wit certificates without eap. In the future it will be possible to use EAP with RADIUS server.

Re: Feature Req: IKEv2 server and client

Posted: Tue Nov 15, 2016 1:09 pm
by toto99303
Currently it works wit Macs with psk and should work wit certificates without eap. In the future it will be possible to use EAP with RADIUS server.
Ok, got it working with iOS with certificates (enc 3des, auth sha1, esn off), but I'm getting extremely slow speeds? ICMP pings look fine, but Speedtest gives me 0.1 MBit/s or lower speed :( Access to local recources is with the same slow speed... Something is generally messed up.. Can you point me how to troubleshoot this?

Re: Feature Req: IKEv2 server and client

Posted: Wed Nov 16, 2016 12:30 pm
by nicecloud
Any IKEv2 examples Yet for connecting to Azure?

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 17, 2016 2:57 pm
by irico
Any IKEv2 examples Yet for connecting to Azure?
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address={AZURE_IP/32} dpd-interval=disable-dpd enc-algorithm=\
    aes-256,3des exchange-mode=ike2 local-address={LOCAL_IP} \
    nat-traversal=no secret={SECRET}
/ip ipsec policy
add dst-address={AZURE_SUBNET} proposal=Azure sa-dst-address={AZURE_IP} \
    sa-src-address={LOCAL_IP} src-address={LOCAL_SUBNET} tunnel=yes
Firewall filter rules to accept IPSec and accept rule before NAT masquerade between {AZURE_SUBNET} and {LOCAL_SUBNET}

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 17, 2016 3:22 pm
by nicecloud
Many Thanks,

Connect OK :-)

Start testing traffic and multisite connection now.

Re: Feature Req: IKEv2 server and client

Posted: Fri Nov 18, 2016 10:17 am
by nicecloud
Lost connection to Azure during night, reboot RB and after more then 5 minutes to get connected again, have to kill Installed SA 2 times before traffic was up

Installed SA show Auth none and Encr Algorithm none

After 3 attempt
Installed SA show Auth sha1 and Encr Algorithm aes cbc

Re: Feature Req: IKEv2 server and client

Posted: Tue Nov 22, 2016 5:39 pm
by localsnet
Could somebody tell me how configure the Server-Client type connection ( between 2 Mikrotiks)?
I've been trying to configure it (start used the code exactly from that headline) with Road Warrior setup Ikev2 RSA auth (on http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth)
But I'm really confused, when I've read here that IKEv2 not supported yet in stable versions.
IKEV2 doesn't matter for me, because I use version 6.36.3, and I need just IPSEC tunnel, so IKev1 or anything else would be fine for my purpose.
Is that manual suitable for it?
Thanks in advance.

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 24, 2016 9:10 am
by nicecloud
After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2


Nov/24/2016 07:57:22 ipsec,debug ike2 initialize send for: 40.69.xx.xx
Nov/24/2016 07:57:22 ipsec,debug adding payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug => (size 0x1c)
Nov/24/2016 07:57:22 ipsec,debug 0000001c 3bf4f900 c8613469 8bc009a8 1b57d794 fdc60ce9 f6e9dcb9
Nov/24/2016 07:57:22 ipsec,debug adding payload: KE
Nov/24/2016 07:57:22 ipsec,debug => (size 0x88)
Nov/24/2016 07:57:22 ipsec,debug 00000088 00020000 0f4e87a5 8496dc9c 03269876 2b020be1 d00002e8 1e79da1b
Nov/24/2016 07:57:22 ipsec,debug 1503daa6 80490813 1040b8ad b1c38973 d78f185b 1c3596f2 bca14ab2 4a5a46e8
Nov/24/2016 07:57:22 ipsec,debug f432965a 6322099e 24e468fd f8b892e7 f4911f2f 0585e1b4 39710001 cc9bc48d
Nov/24/2016 07:57:22 ipsec,debug 827b44a1 d2253687 80574323 3cccfe1d d0782904 69dbdadc d3f308ce c751b8f2
Nov/24/2016 07:57:22 ipsec,debug b54c2cdf 8d3d987b
Nov/24/2016 07:57:22 ipsec,debug adding payload: SA
Nov/24/2016 07:57:22 ipsec,debug => (size 0x38)
Nov/24/2016 07:57:22 ipsec,debug 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 01000003
Nov/24/2016 07:57:22 ipsec,debug 03000008 02000002 03000008 03000002 00000008 04000002
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug sending 248 bytes from 90.230.xx.xx[500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet sockname 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet from 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet src4 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 1 times of 248 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 00000000 00000000 28202208 00000000 000000f8 2200001c
Nov/24/2016 07:57:22 ipsec,debug,packet 3bf4f900 c8613469 8bc009a8 1b57d794 fdc60ce9 f6e9dcb9 21000088 00020000
Nov/24/2016 07:57:22 ipsec,debug,packet 0f4e87a5 8496dc9c 03269876 2b020be1 d00002e8 1e79da1b 1503daa6 80490813
Nov/24/2016 07:57:22 ipsec,debug,packet 1040b8ad b1c38973 d78f185b 1c3596f2 bca14ab2 4a5a46e8 f432965a 6322099e
Nov/24/2016 07:57:22 ipsec,debug,packet 24e468fd f8b892e7 f4911f2f 0585e1b4 39710001 cc9bc48d 827b44a1 d2253687
Nov/24/2016 07:57:22 ipsec,debug,packet 80574323 3cccfe1d d0782904 69dbdadc d3f308ce c751b8f2 b54c2cdf 8d3d987b
Nov/24/2016 07:57:22 ipsec,debug,packet 00000038 00000034 01010005 0300000c 0100000c 800e0100 03000008 01000003
Nov/24/2016 07:57:22 ipsec,debug,packet 03000008 02000002 03000008 03000002 00000008 04000002
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug 360 bytes message received from 40.69.xx.xx[500] to 90.230.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 21202220 00000000 00000168 2200002c
Nov/24/2016 07:57:22 ipsec,debug,packet 00000028 01010004 03000008 01000003 03000008 03000002 03000008 02000002
Nov/24/2016 07:57:22 ipsec,debug,packet 00000008 04000002 28000088 00020000 1ef4d74b 7a2324f4 38cfd8c1 057801b1
Nov/24/2016 07:57:22 ipsec,debug,packet 7ec0aa27 9133bf6f e9a3405e 146c3c11 4db05fc1 2e5765cb 014b4418 4d472344
Nov/24/2016 07:57:22 ipsec,debug,packet deffb658 39f8e919 a28613f7 da534ad0 5e6447fe 99dbea13 76a00f38 5a7a0326
Nov/24/2016 07:57:22 ipsec,debug,packet dad3de1e 4bd4d8f6 aae10ef0 9cf836a7 6ce5cfc8 aec552c9 8868f2ef 9ae89ba5
Nov/24/2016 07:57:22 ipsec,debug,packet f68f2841 f7634f9d 5d7dd9d9 2a8f1955 29000034 bcafebac f1a382fa d0531734
Nov/24/2016 07:57:22 ipsec,debug,packet 699ae223 1943659e d22c16f0 01287867 ab70da56 db0ffa4b e3c11c05 bf0558d1
Nov/24/2016 07:57:22 ipsec,debug,packet 17a87560 2900001c 00004004 a2e20be3 8c67110c 0b912f1d cb1489b8 9e842ec8
Nov/24/2016 07:57:22 ipsec,debug,packet 2b00001c 00004005 844bae0e f5c14ca6 7ea880bb beda2481 ed73ab19 2b000018
Nov/24/2016 07:57:22 ipsec,debug,packet 1e2b5169 05991c7d 7c96fcbf b587e461 00000009 00000014 fb1de3cd f341b7ea
Nov/24/2016 07:57:22 ipsec,debug,packet 16b7e5be 0855f120
Nov/24/2016 07:57:22 ipsec,debug ike2 answer exchange: SA_INIT id: 0
Nov/24/2016 07:57:22 ipsec,debug ike2 initialize recv
Nov/24/2016 07:57:22 ipsec,debug payload seen: SA
Nov/24/2016 07:57:22 ipsec,debug payload seen: KE
Nov/24/2016 07:57:22 ipsec,debug payload seen: NONCE
Nov/24/2016 07:57:22 ipsec,debug payload seen: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug payload seen: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug payload seen: VID
Nov/24/2016 07:57:22 ipsec,debug payload seen: VID
Nov/24/2016 07:57:22 ipsec,debug processing payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug processing payload: SA
Nov/24/2016 07:57:22 ipsec,debug IKE Protocol: IKE
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug prf: hmac-sha1
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug dh: modp1024
Nov/24/2016 07:57:22 ipsec,debug matched proposal:
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug prf: hmac-sha1
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug dh: modp1024
Nov/24/2016 07:57:22 ipsec,debug processing payload: KE
Nov/24/2016 07:57:22 ipsec,debug => shared secret (size 0x80)
Nov/24/2016 07:57:22 ipsec,debug 23a1422e 300e93a0 761622b9 25feede4 0ad4093c d2e6ca0e eecacdd3 2514814a
Nov/24/2016 07:57:22 ipsec,debug c177b735 ec3c3bd0 027c6e5f 8b4d476d bf76fd01 ccfaf27c bb1349e2 862cd09f
Nov/24/2016 07:57:22 ipsec,debug 0b4dc8e2 3f026a11 77b1b87d 17bf9a43 65a38c2b e845d36f 40be6363 a21b11e8
Nov/24/2016 07:57:22 ipsec,debug 1351f0a1 b211bdbd 6bfeb507 2b2852aa f2835a57 4c0b5d7c 27247e2d 2cd846fb
Nov/24/2016 07:57:22 ipsec,debug => skeyseed (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 23136c2f 6c546675 0130703a 0a81137a b14b247b
Nov/24/2016 07:57:22 ipsec,debug => keymat (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 4559909e 1d8b5b1c a2b4f740 70fb2601 31fa1285
Nov/24/2016 07:57:22 ipsec,debug => SK_ai (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug e40086cc a0eb2dde cb24a153 5e44ea7b 6f8879b6
Nov/24/2016 07:57:22 ipsec,debug => SK_ar (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 313cd9ed 9a8241d9 4ac8d984 be808d65 93a4fbc3
Nov/24/2016 07:57:22 ipsec,debug => SK_ei (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 6289b5e3 c2c2bc0d 2159685f 91ef3a2b 84f53aba cc1880f1
Nov/24/2016 07:57:22 ipsec,debug => SK_er (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 0ba7222c 93db7e76 2033ca84 6216b55c 7bdf1db8 bb2a368c
Nov/24/2016 07:57:22 ipsec,debug => SK_pi (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 5b7364db 3af28b3a 33f9e506 dd622c7e 3a14da08
Nov/24/2016 07:57:22 ipsec,debug => SK_pr (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 3556df29 f492a040 0911c3c9 432e563b 925ff52b
Nov/24/2016 07:57:22 ipsec,debug processing payloads: NOTIFY
Nov/24/2016 07:57:22 ipsec,debug new ph1 initiator connection established
Nov/24/2016 07:57:22 ipsec,info new ike2 initiator connection: 90.230.xx.xx[4500]<->40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug init child for policy: 192.168.254.0/24/24:0 <=> 10.0.0.0/16/16:0 ipproto:255
Nov/24/2016 07:57:22 ipsec,debug GETSPI sent: 40.69.xx.xx->90.230.xx.xx
Nov/24/2016 07:57:22 ipsec,debug ikev2 got spi 0xbfe4b79
Nov/24/2016 07:57:22 ipsec,debug init child continue
Nov/24/2016 07:57:22 ipsec,debug offering proto: 3
Nov/24/2016 07:57:22 ipsec,debug proposal #1
Nov/24/2016 07:57:22 ipsec,debug enc: aes256-cbc
Nov/24/2016 07:57:22 ipsec,debug enc: aes128-cbc
Nov/24/2016 07:57:22 ipsec,debug enc: 3des-cbc
Nov/24/2016 07:57:22 ipsec,debug auth: sha1
Nov/24/2016 07:57:22 ipsec,debug esn: off
Nov/24/2016 07:57:22 ipsec,debug initiator selector: 192.168.254.0/24/24 ipproto:0
Nov/24/2016 07:57:22 ipsec,debug => selector created (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff
Nov/24/2016 07:57:22 ipsec,debug responder selector: 10.0.0.0/16/16 ipproto:0
Nov/24/2016 07:57:22 ipsec,debug => selector created (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff 0a000000 0a00ffff
Nov/24/2016 07:57:22 ipsec,debug my ID (ADDR): 90.230.xx.xx
Nov/24/2016 07:57:22 ipsec,debug processing payload: NONCE
Nov/24/2016 07:57:22 ipsec,debug => auth nonce (size 0x30)
Nov/24/2016 07:57:22 ipsec,debug bcafebac f1a382fa d0531734 699ae223 1943659e d22c16f0 01287867 ab70da56
Nov/24/2016 07:57:22 ipsec,debug db0ffa4b e3c11c05 bf0558d1 17a87560
Nov/24/2016 07:57:22 ipsec,debug => SK_p (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 5b7364db 3af28b3a 33f9e506 dd622c7e 3a14da08
Nov/24/2016 07:57:22 ipsec,debug => idhash (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 60c43fad 004a4185 588d3808 9fc2816c 9afc6931
Nov/24/2016 07:57:22 ipsec,debug => my auth (size 0x14)
Nov/24/2016 07:57:22 ipsec,debug 4397a78a a54f8842 a39aed6a dce056a7 782a122b
Nov/24/2016 07:57:22 ipsec,debug adding payload: ID_I
Nov/24/2016 07:57:22 ipsec,debug => (size 0xc)
Nov/24/2016 07:57:22 ipsec,debug 0000000c 01000000 5ae6172c
Nov/24/2016 07:57:22 ipsec,debug adding payload: AUTH
Nov/24/2016 07:57:22 ipsec,debug => (size 0x1c)
Nov/24/2016 07:57:22 ipsec,debug 0000001c 02000000 4397a78a a54f8842 a39aed6a dce056a7 782a122b
Nov/24/2016 07:57:22 ipsec,debug adding payload: SA
Nov/24/2016 07:57:22 ipsec,debug => (size 0x40)
Nov/24/2016 07:57:22 ipsec,debug 00000040 0000003c 01030405 0bfe4b79 0300000c 0100000c 800e0100 0300000c
Nov/24/2016 07:57:22 ipsec,debug 0100000c 800e0080 03000008 01000003 03000008 03000002 00000008 05000000
Nov/24/2016 07:57:22 ipsec,debug adding payload: TS_I
Nov/24/2016 07:57:22 ipsec,debug => (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff
Nov/24/2016 07:57:22 ipsec,debug adding payload: TS_R
Nov/24/2016 07:57:22 ipsec,debug => (size 0x18)
Nov/24/2016 07:57:22 ipsec,debug 00000018 01000000 07000010 0000ffff 0a000000 0a00ffff
Nov/24/2016 07:57:22 ipsec,debug,packet => outgoing plain packet (size 0x200)
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 23202308 00000001 00000000 2700000c
Nov/24/2016 07:57:22 ipsec,debug,packet 01000000 5ae6172c 2100001c 02000000 4397a78a a54f8842 a39aed6a dce056a7
Nov/24/2016 07:57:22 ipsec,debug,packet 782a122b 2c000040 0000003c 01030405 0bfe4b79 0300000c 0100000c 800e0100
Nov/24/2016 07:57:22 ipsec,debug,packet 0300000c 0100000c 800e0080 03000008 01000003 03000008 03000002 00000008
Nov/24/2016 07:57:22 ipsec,debug,packet 05000000 2d000018 01000000 07000010 0000ffff c0a8fe00 c0a8feff 00000018
Nov/24/2016 07:57:22 ipsec,debug,packet 01000000 07000010 0000ffff 0a000000 0a00ffff 6c8299b1 cae4ff1b 38567595
Nov/24/2016 07:57:22 ipsec,debug,packet a6b8cbdf f40a2139 526c87a3 c0defd1d 2e405367 7c92a9c1 daf40f2b 486685a5
Nov/24/2016 07:57:22 ipsec,debug,packet b6c8dbef 041a3149 627c97b3 d0ee0d2d 3e506377 8ca2b9d1 ea041f3b 587695b5
Nov/24/2016 07:57:22 ipsec,debug,packet
Nov/24/2016 07:57:22 ipsec,debug,packet c6d8ebff 142a4159 728ca7c3 e0fe1d3d 4e607387 9cb2c9e1 fa142f4b 6886a5c5
Nov/24/2016 07:57:22 ipsec,debug,packet d6e8fb0f 243a5169 829cb7d3 f00e2d4d 5e708397 acc2d9f1 0a243f5b 7896b5d5
Nov/24/2016 07:57:22 ipsec,debug,packet e6f80b1f 344a6179 92acc7e3 001e3d5d 00000000 00000438 77b03940 00486458
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Nov/24/2016 07:57:22 ipsec,debug,packet 00000000 00000000 00478530 00478328 00478294 01000000 0047c844 00000000
Nov/24/2016 07:57:22 ipsec,debug adding payload: ENC
Nov/24/2016 07:57:22 ipsec,debug => (first 0x100 of 0x138)
Nov/24/2016 07:57:22 ipsec,debug 23000138 a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c
Nov/24/2016 07:57:22 ipsec,debug fe9a846b ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9
Nov/24/2016 07:57:22 ipsec,debug 14f0c747 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e
Nov/24/2016 07:57:22 ipsec,debug 743c37af ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6
Nov/24/2016 07:57:22 ipsec,debug ddc9aa88 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565
Nov/24/2016 07:57:22 ipsec,debug 1be76a2a 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8
Nov/24/2016 07:57:22 ipsec,debug 750a959c 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840
Nov/24/2016 07:57:22 ipsec,debug 9bff07ee c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea
Nov/24/2016 07:57:22 ipsec,debug ==========
Nov/24/2016 07:57:22 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:22 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:22 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:22 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:22 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:22 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:22 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:22 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:22 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:22 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:22 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:22 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:22 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:24 ipsec,debug acquire for 90.230.xx.xx <=> 40.69.xx.xx
Nov/24/2016 07:57:24 ipsec,debug suitable policy found: 192.168.254.0/24/24:0 <=> 10.0.0.0/16/16:0 ipproto:255
Nov/24/2016 07:57:24 ipsec,debug connection found for peer: 40.69.xx.xx[500]
Nov/24/2016 07:57:24 ipsec,debug SA with policy exists, ignoring
Nov/24/2016 07:57:27 ipsec,debug ==========
Nov/24/2016 07:57:27 ipsec,debug 68 bytes message received from 40.69.xx.xx[500] to 90.230.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet dcaf5a58 5bfb5571 5fcc6125 1f57a934 2e202508 00000001 00000044 29000028
Nov/24/2016 07:57:27 ipsec,debug,packet cfc63abf 9907ec99 c63980f8 d21f1e75 3f8e8242 95c2c7cd 9684f17b b1cc06e6
Nov/24/2016 07:57:27 ipsec,debug,packet 0db1f801
Nov/24/2016 07:57:27 ipsec,debug ike2 request exchange: INFORMATIONAL id: 1
Nov/24/2016 07:57:27 ipsec,debug spi not registred
Nov/24/2016 07:57:27 ipsec,debug retransmit
Nov/24/2016 07:57:27 ipsec,debug ==========
Nov/24/2016 07:57:27 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:27 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:27 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:27 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:27 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:27 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:27 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:27 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:27 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:27 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:27 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:27 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:27 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:32 ipsec,debug retransmit
Nov/24/2016 07:57:32 ipsec,debug ==========
Nov/24/2016 07:57:32 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:32 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:32 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:32 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:32 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:32 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:32 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:32 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:32 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:32 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:32 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:32 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:32 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:37 ipsec,debug retransmit
Nov/24/2016 07:57:37 ipsec,debug ==========
Nov/24/2016 07:57:37 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:37 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:37 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:37 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:37 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:37 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:37 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:37 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:37 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:37 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:37 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:37 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:37 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:42 ipsec,debug retransmit
Nov/24/2016 07:57:42 ipsec,debug ==========
Nov/24/2016 07:57:42 ipsec,debug sending 340 bytes from 90.230.xx.xx[4500] to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet sockname 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet send packet from 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet send packet to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet src4 90.230.xx.xx[4500]
Nov/24/2016 07:57:42 ipsec,debug,packet dst4 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet 1 times of 344 bytes message will be sent to 40.69.xx.xx[500]
Nov/24/2016 07:57:42 ipsec,debug,packet 2111955a 077f164c 4c5be975 ed9c8373 2e202308 00000001 00000154 23000138
Nov/24/2016 07:57:42 ipsec,debug,packet a15c458a c587a17c 64bd3bf8 1a2be95c debff3ba fae27bdd 281cb34c fe9a846b
Nov/24/2016 07:57:42 ipsec,debug,packet ac1e4a8e 7dc445a4 ac349f3e 9875eda0 bd04c2f9 0cd6d67a 3e0185c9 14f0c747
Nov/24/2016 07:57:42 ipsec,debug,packet 28e5ee1b 2757557c ea497421 6c367581 2253c100 6dc9a957 c794003e 743c37af
Nov/24/2016 07:57:42 ipsec,debug,packet ad0e227c ac1d3d9c 725e97ec 673f96e0 30ec7206 17c86e0a 1a72eca6 ddc9aa88
Nov/24/2016 07:57:42 ipsec,debug,packet 836d75e8 19f75bcb 5a5adb95 5752689b 45cae683 da3e8980 bbd5e565 1be76a2a
Nov/24/2016 07:57:42 ipsec,debug,packet 7cd317f0 cb6e5175 4bce2320 ce54a129 599358e3 a898f495 50662ed8 750a959c
Nov/24/2016 07:57:42 ipsec,debug,packet 26369b14 99ca53af 8d10d826 15de5aa3 7ef70053 7049a234 e0137840 9bff07ee
Nov/24/2016 07:57:42 ipsec,debug,packet c0d1bc77 f620319c 42c9708f 08d34573 7cd4cf84 1e4c232f 5a2bd1ea 1c1dffdd
Nov/24/2016 07:57:42 ipsec,debug,packet b20441fd 5f8d3028 2bfb4a17 4442aef6 fdefd5c8 a15755e9 27c8929c 510b7c46
Nov/24/2016 07:57:42 ipsec,debug,packet e17d4473 491227a3 ec575ab8 27913ccb a87668ae
Nov/24/2016 07:57:47 ipsec,debug retransmit
Nov/24/2016 07:57:47 ipsec,info killing connection: 90.230.xx.xx[4500]<->40.69.xx.xx[500]

Re: Feature Req: IKEv2 server and client

Posted: Thu Nov 24, 2016 10:48 am
by irico
After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]
Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.

Re: Feature Req: IKEv2 server and client

Posted: Mon Nov 28, 2016 12:39 am
by telnetpr
Anything yet? This post is from last year. Please we need it @mikrotik

Re: Feature Req: IKEv2 server and client

Posted: Mon Nov 28, 2016 12:43 am
by rllavona13
Hello i need this 2 ASAP. Like much other customers of yours..


Sent from my iPhone using Tapatalk

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 06, 2016 10:07 pm
by hacknix
Hi,

Some feedback on IKEv2.

Firstly, thank you very much for this. After much fiddling, I have got RouterOS to talk to Strongswan, with a couple of caveats:

I can only get a Phase 1 proposal using MD5 as HMAC to work. I can't get any of the SHA variants to work at all, I just get "no proposal chosen". I think this has something to do with KPDK_MD5 being in the proposal that is sent, regardless of which HMAC is actually chosen in the proposal, although I am not an expert on this, so I am very happy to be proven wrong!

Also, I cannot get a child SA with a destination subnet of "0.0.0.0/0" to work, I get a TS_UNNACEPTABLE. However, if I change the expected "leftsubnet" on stongswan to simply "0.0.0.0" it works, suggesting that RouterOS is not appending the "/0" as it should. I need this as I am trying to route all traffic (IPv4 and IPv6) over the tunnel.

Thanks again.

hacknix

Re: Feature Req: IKEv2 server and client

Posted: Wed Dec 07, 2016 12:15 pm
by mrz
@hacknix can you enable ipsec logs, try to make a connection, generate supout file and send it to support?

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 08, 2016 7:28 pm
by hacknix
@mrz - thanks for the reply. Yes, I will do that, thanks for the response.

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 08, 2016 7:45 pm
by hacknix
@mrz - I have not sent a supout file before. Does this file contain my sensitive information, like keys, passwords and IP addresses?

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 08, 2016 7:49 pm
by mrz
No it does not contain sensitive info.

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 08, 2016 7:58 pm
by hacknix
thanks :-)

Re: Feature Req: IKEv2 server and client

Posted: Fri Dec 09, 2016 10:45 am
by manbot
Hi everyone!
In 6.38rc45 I was able to connect my Mac to my Home Lab via IKEv2 with pushing routes :)

Good job, MikroTik!!!

Re: Feature Req: IKEv2 server and client

Posted: Sat Dec 10, 2016 1:37 pm
by maznu
I asked this in the 6.38rc thread, but maybe here is better. I will admit that I've not kept up with how quickly the IKEv2 support has moved in these RCs. Well done to MikroTik's developers for doing this so fast!

My question is whether or not it is possible to create an IKEv2 configuration on RouterOS which will support iOS road-warriors using username/password authentication. I'm guessing that this is EAP and XAuth (with RADIUS), but I haven't found the correct incantation of commands to get it to work. I'm left staring at ipsec debugging logs which say "EAP neeeds certificate if EAP-only is not used" and "reply notify: AUTHENTICATION_FAILED" (no RADIUS packet is emitted?). I'm also puzzled by what auth settings iOS is using in some of its proposals that the debug logs show "auth: unknown".

Any clues would be gratefully received — we've got several end users who would love to test this. Is this something 6.38rc can do yet, or is it "coming soon"?

Re: Feature Req: IKEv2 server and client

Posted: Sun Dec 11, 2016 7:01 am
by ckleea
Am also looking forwards to have sample configuration for IOS clients and site to site with Strongswan

Re: Feature Req: IKEv2 server and client

Posted: Mon Dec 12, 2016 12:03 pm
by toto99303
I got it working with Pre-Shared key with my iPhone using this config:
/ip pool add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec policy
set 0 level=unique dst-address=192.168.77.0/24
/ip ipsec mode-conf
add name=cfg1 send-dns=yes address-pool=rw-pool address-prefix=32
/ip ipsec peer
add auth-method=pre-shared-key passive=yes secret=your_secret policy-template-group=default exchange-mode=ike2 nat-traversal=yes mode-config=cfg1  generate-policy=port-strict enc-algorithm=aes-128 dh-group=modp1024
But it's very very slow! I think I have MTU problem, but I don't know how to fix it for UDP traffic....anyone?

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 13, 2016 1:17 am
by ckleea
I got it working with Pre-Shared key with my iPhone using this config:
/ip pool add name=rw-pool ranges=192.168.77.2-192.168.77.254
/ip ipsec policy
set 0 level=unique dst-address=192.168.77.0/24
/ip ipsec mode-conf
add name=cfg1 send-dns=yes address-pool=rw-pool address-prefix=32
/ip ipsec peer
add auth-method=pre-shared-key passive=yes secret=your_secret policy-template-group=default exchange-mode=ike2 nat-traversal=yes mode-config=cfg1  generate-policy=port-strict enc-algorithm=aes-128 dh-group=modp1024
But it's very very slow! I think I have MTU problem, but I don't know how to fix it for UDP traffic....anyone?
Something wrong with this, should it be system-dns=yes
/ip ipsec mode-conf
add name=cfg1 send-dns=yes address-pool=rw-pool address-prefix=32

Besides, how do you configure the iphone client with IKEv2?

Thanks

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 13, 2016 9:26 am
by toto99303
You're right, it's system-dns=yes

I use XML mobileconfig file, read here:
https://wiki.strongswan.org/projects/st ... Ev2Profile

Re: Feature Req: IKEv2 server and client

Posted: Wed Dec 14, 2016 3:26 pm
by ckleea
You're right, it's system-dns=yes

I use XML mobileconfig file, read here:
https://wiki.strongswan.org/projects/st ... Ev2Profile
Can I have a copy of your ios mobileconfig?

Re: Feature Req: IKEv2 server and client

Posted: Wed Dec 14, 2016 3:28 pm
by normis
You can use Mobileconfig for ease of use, but you can also set it up by hand, we have example here:
http://wiki.mikrotik.com/wiki/Manual:IP ... ient_Notes

Re: Feature Req: IKEv2 server and client

Posted: Wed Dec 14, 2016 5:48 pm
by mrz
I asked this in the 6.38rc thread, but maybe here is better. I will admit that I've not kept up with how quickly the IKEv2 support has moved in these RCs. Well done to MikroTik's developers for doing this so fast!

My question is whether or not it is possible to create an IKEv2 configuration on RouterOS which will support iOS road-warriors using username/password authentication. I'm guessing that this is EAP and XAuth (with RADIUS), but I haven't found the correct incantation of commands to get it to work. I'm left staring at ipsec debugging logs which say "EAP neeeds certificate if EAP-only is not used" and "reply notify: AUTHENTICATION_FAILED" (no RADIUS packet is emitted?). I'm also puzzled by what auth settings iOS is using in some of its proposals that the debug logs show "auth: unknown".

Any clues would be gratefully received — we've got several end users who would love to test this. Is this something 6.38rc can do yet, or is it "coming soon"?

anything that shows up as "unknown" in logs are not supported by RouterOS.
For EAP you need RADIUS server that can do EAP authentication, it is not done directly on RouterOS.

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 15, 2016 3:14 pm
by toto99303
You're right, it's system-dns=yes

I use XML mobileconfig file, read here:
https://wiki.strongswan.org/projects/st ... Ev2Profile
Can I have a copy of your ios mobileconfig?
Just use the "EAP authentication (base template)" and then replace the parts for "Pre-shared key (PSK) authentication".
However the speed is very slow, I've opened a ticket about this and I think I have UDP fragmentation issues.

Strongswan is using this:
"Support for the new IKEv2 Fragmentation mechanism as defined by RFC 7383 has been added, which avoids IP fragmentation of
IKEv2 UDP datagrams exceeding the network's MTU size
. This feature is activated by setting fragmentation=yes in ipsec.conf and optionally setting the maximum IP packet size with the charon.fragment_size parameter in strongswan.conf."
Is RFC 7383 implemented in RouterOS yet?

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 15, 2016 3:28 pm
by mrz
That RFC describes IKE2 packet fragmentation, it has nothing to do with data forwarded over the tunnel.

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 15, 2016 11:31 pm
by maw
Hello,
When we try using EAP-radius we get an error saying it fails at requesting radius service=ipsec.
And the only services we can provide with radius is ppp, hotspot, dhcp, login and wireless.

Can anyone tell me how to configure this properly?

Re: Feature Req: IKEv2 server and client

Posted: Fri Dec 16, 2016 1:52 pm
by mrz
@toto99303 strongswan is using VTI, where you can adjust MTU on interface. RouterOS is policy based and there is no ipsec interface to adjust MTU.

Re: Feature Req: IKEv2 server and client

Posted: Fri Dec 16, 2016 2:22 pm
by mrz
@maw leave empty service, it will work. In future we will add ipsec specific service.

Re: Feature Req: IKEv2 server and client

Posted: Sat Dec 17, 2016 12:13 am
by nz_monkey
RouterOS is policy based and there is no ipsec interface to adjust MTU.
VTI on RouterOS. Pleeease :)

Re: Feature Req: IKEv2 server and client

Posted: Wed Dec 21, 2016 9:52 pm
by maznu
We've had some success getting IKEv2 and RADIUS and EAP talking to each other... but we've hit an interesting stumbling block. We're using CHR 6.38 rc 51.

The RADIUS packets generated by IKEv2 authentication attempts do not have a Message-Authenticator attribute:
19:43:57.474594 IP (tos 0x0, ttl 63, id 45839, offset 0, flags [DF], proto UDP (17), length 121)
    185.134.196.4.50138 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 93
	Access Request (1), id: 0x17, Authenticator: 216e38c751e9598c38bae6dc5169c34b
	  Calling Station Attribute (31), length: 10, Value: ./.Y..t.
	    0x0000:  c42f 8359 e3d3 74e4
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31
	  Service Type Attribute (6), length: 6, Value: Framed
	    0x0000:  0000 0002
	  Framed MTU Attribute (12), length: 6, Value: 1400
	    0x0000:  0000 0578
	  EAP Message Attribute (79), length: 16, Value: .
	    0x0000:  0200 000e 0131 302e 332e 302e 3331
	  NAS ID Attribute (32), length: 18, Value: chr01.faelix.net
	    0x0000:  6368 7230 312e 6661 656c 6978 2e6e 6574
	  NAS IP Address Attribute (4), length: 6, Value: 185.134.196.4
	    0x0000:  b986 c404
We are trying to use FreeRADIUS 3.0.12, for which we know RADIUS authentication works (our OpenVPNs are ok). But note the comments in FreeRADIUS' src/lib/radius.c is the following code: you have to have a Message-Authenticator attribute:
        /*
         *      http://www.freeradius.org/rfc/rfc2869.html#EAP-Message
         *
         *      A packet with an EAP-Message attribute MUST also have
         *      a Message-Authenticator attribute.
         *
         *      A Message-Authenticator all by itself is OK, though.
         *
         *      Similarly, Status-Server packets MUST contain
         *      Message-Authenticator attributes.
         */
        if (require_ma && !seen_ma) {
                FR_DEBUG_STRERROR_PRINTF("Insecure packet from host %s:  Packet does not contain required Message-Authenticator attribute",
                           inet_ntop(packet->src_ipaddr.af,
                                     &packet->src_ipaddr.ipaddr,
                                     host_ipaddr, sizeof(host_ipaddr)));
                failure = DECODE_FAIL_MA_MISSING;
                goto finish;
        }

This is using a configuration of:
/radius
add address=XXXXXX secret=XXXXXX service=ppp,hotspot,wireless,dhcp,ipsec src-address=185.134.196.4

/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=chr01.faelix.net. enc-algorithm=aes-128 exchange-mode=ike2 generate-policy=\
    port-strict local-address=185.134.196.4 mode-config=cfg1 my-id=fqdn:chr01.faelix.net passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/ip ipsec user settings
set xauth-use-radius=yes
Have we configured something wrong, or does RouterOS need to generate the Message-Authenticator attribute?

Thanks!

Re: Feature Req: IKEv2 server and client

Posted: Wed Dec 21, 2016 9:59 pm
by maznu
...and same on 6.38rc52 :-)

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 22, 2016 1:10 pm
by mrz
Next RC will include message-authenticator attribute

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 22, 2016 4:17 pm
by maznu
Next RC will include message-authenticator attribute
…if this forum had a "like" button, I would press it :-)

Thank you!

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 22, 2016 6:55 pm
by mharis
Hello everyone,

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config
# dec/22/2016 18:50:18 by RouterOS 6.38rc52
# software id = RNJ2-HSU2
#
/ip ipsec mode-config
add address-pool=mobile_clients address-prefix-length=32 name=cfg1 \
    split-include=192.168.100.0/24
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=10h \
    pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048,modp1024 enc-algorithm=aes-128 \
    exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=\
    yes
/ip ipsec policy
set 0 dst-address=192.168.99.0/24 src-address=0.0.0.0/0
Thank you and sorry my English

Re: Feature Req: IKEv2 server and client

Posted: Fri Dec 23, 2016 1:18 am
by ckleea
Hello everyone,

I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config
# dec/22/2016 18:50:18 by RouterOS 6.38rc52
# software id = RNJ2-HSU2
#
/ip ipsec mode-config
add address-pool=mobile_clients address-prefix-length=32 name=cfg1 \
    split-include=192.168.100.0/24
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=10h \
    pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048,modp1024 enc-algorithm=aes-128 \
    exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=\
    yes
/ip ipsec policy
set 0 dst-address=192.168.99.0/24 src-address=0.0.0.0/0
Thank you and sorry my English
Do you still need to set up mobileconfig file for the iphone?

Re: Feature Req: IKEv2 server and client

Posted: Fri Dec 23, 2016 6:15 pm
by guube
Hi, I'm new here! I've tried IKEv2 in the 6.38rc52 running on an RB951G-2HnD, but stumble upon some problems, both IPSEC related and some other things. What is the best way to discuss these? Would that be via this forum, or should I send mail to support@?

Here are the IPsec related issues:

1) I'm trying to make ROS talk with strongSwan. I let ROS initiate the connection. When doing so, ROS seems to send IKEv2 messages to port 500, but does this with UDP encapsulation. I've verified this with WireShark. RFC 7296 (pg 64) specifies this should not happen. strongSwan answers "wrong IKE version" and refuses to connect. When doing "/ip ipsec peer set 0 port=4500", ROS and strongSwan can connect.

2) When doing "/ip ipsec peer export" the port parameter isn't printed, even though I've set it to something non-standard. "export verbose" doesn't print it either. Should this be the case?

Are the above bugs, or is my understanding somehow wrong?

3) I'd like to configure remote IDs too, however ROS doesn't seem to allow this.

Here's my IPsec configuration on the RB:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip ipsec peer
add address=172.30.4.36/32 disabled=yes exchange-mode=ike2 my-id=fqdn:rbtest.test secret=\
    0xe48cc4f17398821969bfc243fbc28e6a
/ip ipsec policy
add dst-address=172.30.4.36/32 protocol=gre sa-dst-address=172.30.4.36 sa-src-address=\
    0.0.0.0 src-address=172.30.4.200/32
Thanks!

Re: Feature Req: IKEv2 server and client

Posted: Fri Dec 23, 2016 6:52 pm
by trunet
I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config
I'm also having this problem. I can connect successfully from my macbook, but after 8 minutes connection drops.

Re: Feature Req: IKEv2 server and client

Posted: Fri Dec 23, 2016 7:25 pm
by trunet
This is my logs when I connect and when I'm disconnected:
17:13:46 ipsec,info new ike2 SA (R): 1.1.1.1[500]-2.2.2.2[500] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:13:46 ipsec,info peer authorized: 1.1.1.1[4500]-2.2.2.2[41122] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:13:46 ipsec,info acquired 192.168.101.199 address for 2.2.2.2
17:21:47 ipsec,error payload missing: TS_I
17:21:47 ipsec,info killing ike2 SA: 1.1.1.1[4500]-2.2.2.2[41122] spi:55b2bf4541cc23a8:7a4bf2f20934ae25
17:21:47 ipsec,info releasing address 192.168.101.199

Re: Feature Req: IKEv2 server and client

Posted: Sat Dec 24, 2016 12:11 am
by maw
I'm trying to set up eap-radius with Windows NPS, but i keep getting these errors on my windows radius server:
An Access-Request message was received from RADIUS client 192.168.xx.xx with an Extensible Authentication Protocol (EAP) message but no Message-Authenticator attribute.

Anyone know how to solve this?

Re: Feature Req: IKEv2 server and client

Posted: Sat Dec 24, 2016 1:48 am
by maznu
I'm trying to set up eap-radius with Windows NPS, but i keep getting these errors on my windows radius server:
An Access-Request message was received from RADIUS client 192.168.xx.xx with an Extensible Authentication Protocol (EAP) message but no Message-Authenticator attribute.

Anyone know how to solve this?
http://forum.mikrotik.com/viewtopic.php ... 50#p574052 - mrz says it's in the next RC :)

Re: Feature Req: IKEv2 server and client

Posted: Sun Dec 25, 2016 10:39 pm
by FFAMax
Exchange mode IKE2 now not working with Auth. Method rsa key. Do you plan to add this in nearest future?

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 27, 2016 5:36 pm
by irico
Any update on this problem?
After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]
Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.
With 6.38rc52 still not working.

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 27, 2016 5:40 pm
by mrz
Any supout with debug logs from non working version?

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 27, 2016 5:46 pm
by irico
Any supout with debug logs from non working version?
Support ticket #2016120722000706 with supout and "ipsec" logs from 2 routers. If you need I can post it here.

I have a test lab with 2 CHR on Hyper-V. 6.38rc31 working good. Then it has not worked anymore.

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 27, 2016 5:50 pm
by mrz
All known problems with azure were solved, please send access to the routers to that ticket so that we can look at.

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 27, 2016 7:27 pm
by irico
All known problems with azure were solved, please send access to the routers to that ticket so that we can look at.
It has finally worked. I had setup port 500. When I disabled it in Winbox, it has started to work.

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 27, 2016 10:20 pm
by nicecloud
Any update on this problem?
After uppgrading to v6.38rc35 I cannot connect to Azure anymore.
Stopped working yesterday, and after upgrading from 6.38rc31 I cannot connect to Azure anymore with ikev2

[...]
Same problem here. Latest RC version can't connect with Azure.
In other test lab, Ikev2 between two mikrotik also fails.
With 6.38rc52 still not working.
It works for me with 6.38rc52 against Azure

Re: Feature Req: IKEv2 server and client

Posted: Tue Dec 27, 2016 11:29 pm
by manbot
6.38rc52
Connect from my iPhone was unsuccessful.
Fix this plz!

Re: Feature Req: IKEv2 server and client

Posted: Wed Dec 28, 2016 11:07 pm
by trunet
Any news about the 8 minute disconnection bug?

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 29, 2016 8:21 am
by normis
We have repeated the issue and found the cause. We are working to fix it now. Fix is probably coming in one of the next RC releases.

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 29, 2016 8:33 am
by FFAMax
Any news about the 8 minute disconnection bug?
It's bug in Apple

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 29, 2016 8:35 am
by normis
Any news about the 8 minute disconnection bug?
It's bug in Apple
It is not

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 29, 2016 3:41 pm
by trunet
We have repeated the issue and found the cause. We are working to fix it now. Fix is probably coming in one of the next RC releases.
Thanks... I deeply appreciate the IKEv2 feature coming before the forever waited ROS v7.

Re: Feature Req: IKEv2 server and client

Posted: Fri Dec 30, 2016 7:58 pm
by stozzie
Hey MikroTik.........I definitely want to thank you for getting IKEv2 in RC.

I have also set up to Azure and after tweaking my NAT settings I am able to get back and forth across the tunnel without issues.

This is great as now I can expand out to test multi site!

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 02, 2017 2:37 pm
by mavink
For those that are interested: here is a working configuration for an IKEv2 tunnel to Azure. This config works both as initiator and responder.
a.a.a.a = Public IP of your Azure VPN gateway
b.b.b.b = Public IP of the Mikrotik
c.c.c.c/cc = Private IP range on the Azure side
d.d.d.d/dd = Private IP range on the Mikrotik side
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address=a.a.a.a/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict \
    lifetime=1h local-address=b.b.b.b secret=secretkeyhere
/ip ipsec policy
add template=yes
add dst-address=c.c.c.c/cc proposal=Azure sa-dst-address=a.a.a.a \
    sa-src-address=b.b.b.b src-address=d.d.d.d/dd tunnel=yes

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 02, 2017 7:35 pm
by stozzie
For those that are interested: here is a working configuration for an IKEv2 tunnel to Azure. This config works both as initiator and responder.
a.a.a.a = Public IP of your Azure VPN gateway
b.b.b.b = Public IP of the Mikrotik
c.c.c.c/cc = Private IP range on the Azure side
d.d.d.d/dd = Private IP range on the Mikrotik side
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=1h name=Azure \
    pfs-group=none
/ip ipsec peer
add address=a.a.a.a/32 dpd-interval=disable-dpd enc-algorithm=\
    aes-256,aes-128,3des exchange-mode=ike2 generate-policy=port-strict \
    lifetime=1h local-address=b.b.b.b secret=secretkeyhere
/ip ipsec policy
add template=yes
add dst-address=c.c.c.c/cc proposal=Azure sa-dst-address=a.a.a.a \
    sa-src-address=b.b.b.b src-address=d.d.d.d/dd tunnel=yes
Also don't forget you need to add the firewall filter to accept and forward requests from the Azure Subnet to the On premise Subnet,
You need the Nat rules for both incoming and outgoing Azure to On premise and On premise to azure (place above 0) one rule for each,
And you should (in some cases) ensure you add an IPsec route for the subnet in Azure with the Gateway IP from that subnet as next hop.

Just adding these as they are not clearly defined. But those are the pieces that I needed specifically for the entire use scenario.

Re: Feature Req: IKEv2 server and client

Posted: Tue Jan 03, 2017 11:23 am
by NetHorror
Can I setup iphone without modeconfig? (IKEv2 PSK)

Re: Feature Req: IKEv2 server and client

Posted: Tue Jan 03, 2017 12:34 pm
by mrz
Modeconf is needed to give out ip addresses and send DNS to the iphone.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 04, 2017 10:21 am
by yHuKyM
I am unable to set up ike2 with google cloud and multiple subnets.
/ip ipsec peer add address=GOOGLEIP dpd-interval=disable-dpd enc-algorithm=aes-256,3des exchange-mode=ike2 local-address=LOCALIP nat-traversal=yes secret=SECRET
/ip ipsec policy add dst-address=10.0.1.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.2.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.3.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.4.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 04, 2017 11:06 am
by manbot
Modeconf is needed to give out ip addresses and send DNS to the iphone.
I can access by IP, but can't use DNS names from remote network :(

/ip ipsec mode-conf
add name=cfg1 system-dns=yes address-pool=rw-pool address-prefix=32

/ip dns
in this section I have correct DNS servers from my internal network.

Any ideas?

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 04, 2017 11:59 am
by mrz
I am unable to set up ike2 with google cloud and multiple subnets.
/ip ipsec peer add address=GOOGLEIP dpd-interval=disable-dpd enc-algorithm=aes-256,3des exchange-mode=ike2 local-address=LOCALIP nat-traversal=yes secret=SECRET
/ip ipsec policy add dst-address=10.0.1.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.2.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.3.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add dst-address=10.0.4.0/24 proposal=default sa-dst-address=GOOGLEIP sa-src-address=LOCALIP src-address=192.168.1.0/24 tunnel=yes
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.
set level=unique for each policy

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 04, 2017 12:25 pm
by yHuKyM
I am unable to set up ike2 with google cloud and multiple subnets.
...
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.
set level=unique for each policy
Same thing. Though, now the second subnet is established, the first and the rest are "no phase2".

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 04, 2017 12:27 pm
by mrz
enable ipsec debug logs, generate supout file and send it to support.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 04, 2017 11:51 pm
by achelon
Modeconf is needed to give out ip addresses and send DNS to the iphone.
I can access by IP, but can't use DNS names from remote network :(

/ip ipsec mode-conf
add name=cfg1 system-dns=yes address-pool=rw-pool address-prefix=32

/ip dns
in this section I have correct DNS servers from my internal network.

Any ideas?
I have exact same problem. I can establish IKEv2 tunnel from iPhone to Mikrotik but cant access any of the hosts at the end of the tunnel using their DNS names (i have defined a number of static DNS entries on the Mikrotik). Google search suggested that adding the appropriate SearchDomains, ServerAddresses and SupplementalMatchDomains keys to the MobileConfig file on the iPhone should do the trick but it didn't. Another (I think related) issue is that not all traffic is sent over the VPN even when the relevant key is set in MobileConfig (OverridePrimary).

I'd appreciate some advice as well.

Achelon

Re: Feature Req: IKEv2 server and client

Posted: Thu Jan 05, 2017 1:41 pm
by yHuKyM
I am unable to set up ike2 with google cloud and multiple subnets.
...
Only the first subnet shows as "established". The rest are "no phase2".

This works with linux box and Strongswan.
set level=unique for each policy
Same thing. Though, now the second subnet is established, the first and the rest are "no phase2".
Thanks to Mikrotik support, it is working. Nothing was wrong with the ipsec itself, however tunneled traffic has to bypass fasttrack - as described here: http://wiki.mikrotik.com/wiki/Manual:IP ... ack_Bypass
RTFM (to myself).

Thank you Maris (Mikrotik support) for the fast response and for going the extra mile!

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 06, 2017 9:18 pm
by soydekra
Hi!

I would like to configure an IKEv2 VPN connection for connect remotely to my home with my Galaxy S7, my Windows PC and my MAC, but I have never configured an Ikev2 connection. Previously I tried L2TP / IPSec to connect and it worked, but I would like to use Ikev2 instead L2TP/IPSec. My doubts are:

- How should I configure the connection correctly on my RB3011?
- I have seen that I can use both PSK, rsa signature and rsa key, which is better or safer? The configuration should be valid for all 3 devices.

Thanks for all and sorry if this topic is not the correct for my question and sorry for my english.

Re: Feature Req: IKEv2 server and client

Posted: Sun Jan 08, 2017 6:17 am
by AndrewT
Just wanted say great work getting this feature going.

I've successfully configured a route-based IPSEC IKEv2 VPN to Azure and it's generally working very well, except that I get occasional drops.
The log reports -

IPSEC ERROR Payload Missing: ID_R

The link then continues to report as established, but all traffic stops. I'm running 6.39rc7
Any ideas?? Thanks

Re: Feature Req: IKEv2 server and client

Posted: Tue Jan 10, 2017 3:29 am
by AndrewT
Okay. So I haven't resolved the above, but I've now added a 10 Second NetWatch to Azure. On Down state I've added -

:log info "IPSEC Down"
:ip ipsec installed-sa flush

This kills the connection and it re-establishes immediately. Seems okay as an immediate workaround.

Re: Feature Req: IKEv2 server and client

Posted: Tue Jan 10, 2017 3:50 am
by terrancesiu
I have successfully set up IKEv2 and i am able to connect from my iPhone and macbook, but connection drops every exactly 8 minutes. I have try various lifetime in proposals and played with settings without success. Here is my config
I'm also having this problem. I can connect successfully from my macbook, but after 8 minutes connection drops.
Adjust the encryption and dh group can be solved, in 6.38
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=fullchain.pem_0 dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=\
    port-strict hash-algorithm=sha256 mode-config=cfg1 passive=yes
/ip ipsec policy
set 0 dst-address=172.30.0.0/15 src-address=0.0.0.0/0
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=none
/ip ipsec mode-config
add address-pool=pool1 address-prefix-length=32 name=cfg1 split-include=172.30.0.0/15 system-dns=no
/ip address
add address=172.31.1.254/24 interface=ether3 network=172.31.1.0
/ip pool
add name=pool1 ranges=172.31.1.1-172.31.1.253
/ip firewall nat
add action=accept chain=srcnat dst-address=172.31.1.0/24 src-address=172.31.0.0/24
add action=accept chain=srcnat dst-address=172.31.0.0/24 src-address=172.31.1.0/24
add action=src-nat chain=srcnat out-interface=pppoe-out1 src-address=172.31.0.0/24 to-addresses=pppoe-out1 address
add action=src-nat chain=srcnat out-interface=pppoe-out2 src-address=172.31.0.0/24 to-addresses=pppoe-out1 address

Re: Feature Req: IKEv2 server and client

Posted: Tue Jan 10, 2017 11:55 am
by ThomasLevering
It is possible to use EAP without radius?
on a rb750gr3 it is not possible to install Usermanager :(

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 11, 2017 7:38 pm
by SimWhite
1. Could someone explain how Static DNS works? When I try to disable system DNS in IPsec Mode Config and set something in static DNS field my iOS/Mac devices didn't get DNS at all.
2. Why IPsec packets comes from the outside interface? It is a correct logic? I mean every packet coming from client (10.2.2.2) to the router itself LAN IP 10.1.1.1 (IP set to the bridge) will be dropped as outside packet if there is a firewall rule like /ip firewall filter add action=drop chain=input in-interface=ether1-gw where ether1-gw public interface with WAN IP 8.8.8.8.

Re: Feature Req: IKEv2 server and client

Posted: Sat Jan 14, 2017 1:45 am
by maznu
iPhone client (IKEv2, User Authentication, with username and password), talking to v6.39rc12 with FreeRADIUS.

The RADIUS packet received has the Username set to the iPhone's IP address - not the username specified in the "Authentication" section of iOS. Is this expected behaviour? Shouldn't this be something like the Calling-Station-Id? Or do I misunderstand how RADIUS-based IKEv2 auth should work?
23:41:26.241030 IP (tos 0x0, ttl 63, id 38214, offset 0, flags [DF], proto UDP (17), length 141)
    185.134.196.4.60758 > 185.134.XXXXXX.1812: [udp sum ok] RADIUS, length: 113
	Access Request (1), id: 0x01, Authenticator: 1f3697ca6de1a6a1c1b52d3703b54a6a
	  Calling Station Attribute (31), length: 10, Value: .b.@S...
	    0x0000:  f362 a940 53e6 12d9
	  Username Attribute (1), length: 12, Value: 10.15.0.51
	    0x0000:  3130 2e31 352e 302e 3531
	  Service Type Attribute (6), length: 6, Value: Framed
	    0x0000:  0000 0002
	  Framed MTU Attribute (12), length: 6, Value: 1400
	    0x0000:  0000 0578
	  EAP Message Attribute (79), length: 17, Value: .
	    0x0000:  0200 000f 0131 302e 3135 2e30 2e35 31
	  Message Authentication Attribute (80), length: 18, Value: .r!.H.GZ.a]v&...
	    0x0000:  9e72 2117 4809 475a ae61 5d76 2683 acd7
	  NAS ID Attribute (32), length: 18, Value: chr01.faelix.net
	    0x0000:  6368 7230 312e 6661 656c 6978 2e6e 6574
	  NAS IP Address Attribute (4), length: 6, Value: 185.134.196.4
	    0x0000:  b986 c404
Config as follows:
/ip ipsec mode-config
add address-pool=rw-pool address-prefix-length=32 name=cfg1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate=chr01.faelix.net. \
    enc-algorithm=aes-128 exchange-mode=ike2 generate-policy=port-strict \
    local-address=185.134.196.4 mode-config=cfg1 my-id=fqdn:chr01.faelix.net \
    passive=yes
/ip ipsec policy
set 0 dst-address=192.168.77.0/24 src-address=0.0.0.0/0
/ip ipsec user settings
set xauth-use-radius=yes
Kind regards,
Marek

Re: Feature Req: IKEv2 server and client

Posted: Sat Jan 14, 2017 9:37 pm
by hamster
I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.

Re: Feature Req: IKEv2 server and client

Posted: Sun Jan 15, 2017 6:49 pm
by achelon
I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.
Hamster,

No need to apologise. It has taken me ages to get an IKEv2 based RoadWarrior setup working. I can confirm I got this working between Mikrotik and 3 devices, iPad, iPhone and MacBook Pro.

I am using 6.39rc12 and my IPSEC config is below:
/ip ipsec mode-config
set request-only name=request-only
add address-pool=ipsec-pool address-prefix-length=24 name=cfg_priv split-include=0.0.0.0/0,<local subnet> system-dns=\
    yes
  /ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc \
    lifetime=1h name=default pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=<cert name>_0 comment=IKEv2 dh-group=\
    modp4096 disabled=no dpd-interval=2m enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
    hash-algorithm=sha512 lifetime=1d local-address=<public IP> mode-config=cfg_priv my-id=fqdn:<public URL> \
    passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=\
    yes
/ip ipsec user settings
set xauth-use-radius=no
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
Note I found this incredibly finnicky to get working. For example just viewing the Peer config page in webfig causes the remote certificate option to change (!) The EAP Radius doesn't work at all for me - RADIUS sends access accept but iOS clients complain:
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Authentication method did not match
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Failed to process IKE Auth packet
So I just use the rsa-signature option and then it works. You must use MobileConfig build a profile to load onto your iOS and MacBook to get the clients properly configured.

Hope this helps.

Achelon

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 16, 2017 12:56 pm
by mrz
You do not need to use Config builder, connection can be easily set with built in client.
http://wiki.mikrotik.com/wiki/Manual:IP ... ient_Notes

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 16, 2017 2:43 pm
by hamster
Thanks so much for your help achelon, but it seems like I'll have to wait for v6.39 to be released, as I don't like running release candidates in my production environment and IKEv2 and RADIUS in v6.38 seem to be more broken than working...

P.S., Mikrotik, there's a typo in ipsec logs "child negitiation timeout in state 0"

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 16, 2017 9:16 pm
by hamster
Well, I found a reason, why RADIUS isn't working with IPSec when using EAP RADIUS authentication over IKEv2, now on ROS v6.38.1. Here's the relevant part from security log in Windows Server 2012 R2 by Network Policy Server, when connecting from Windows 10 client. Instead of my user name, it sends my IP address and more problems like non-printable characters follow at the "Client Machine" part:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			192.168.13.35
	Account Domain:			MYDOMAIN
	Fully Qualified Account Name:	MYDOMAIN\192.168.13.35

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		-
	Calling Station Identifier:		8
ŠˆÁK

NAS:
	NAS IPv4 Address:		10.1.1.1
	NAS IPv6 Address:		-
	NAS Identifier:			TheRouter
	NAS Port-Type:			-
	NAS Port:			-

RADIUS Client:
	Client Friendly Name:		TheRouter
	Client IP Address:			10.1.1.1

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		MyServer.mydomain.local
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			8
	Reason:				The specified user account does not exist.
While with L2TP/IPSec and RADIUS it works just fine:
Network Policy Server granted access to a user.

User:
	Security ID:			MYDOMAIN\myname
	Account Name:			myname
	Account Domain:			MYDOMAIN
	Fully Qualified Account Name:	mydomain.local/MyDomain/MyName

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		82.192.xxx.xxx
	Calling Station Identifier:		93.103.xxx.xxx

NAS:
	NAS IPv4 Address:		10.1.1.1
	NAS IPv6 Address:		-
	NAS Identifier:			TheRouter
	NAS Port-Type:			Virtual
	NAS Port:			15728640

RADIUS Client:
	Client Friendly Name:		TheRouter
	Client IP Address:			10.1.1.1

Authentication Details:
	Connection Request Policy Name:	Use Windows authentication for all users
	Network Policy Name:		Connections to other access servers
	Authentication Provider:		Windows
	Authentication Server:		MyServer.mydomain.local
	Authentication Type:		MS-CHAPv2
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.

Quarantine Information:
	Result:				Full Access
	Session Identifier:			-
As a bonus, this is log from strongSwan on Android, trying to connect to the same configuration (IPSec, EAP RADIUS). Apparently Mikrotik router stops responding while strongSwan tries to negotiate DH group.
Jan 16 20:28:00 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1rc1, Linux 3.0.31-Bauner, armv7l)
Jan 16 20:28:01 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls
Jan 16 20:28:01 00[JOB] spawning 16 worker threads
Jan 16 20:28:01 08[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:01 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:01 08[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (744 bytes)
Jan 16 20:28:01 11[NET] received packet: from 82.192.xxx.xxx[500] to 192.168.13.33[49936] (38 bytes)
Jan 16 20:28:01 11[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jan 16 20:28:01 11[IKE] peer didn\'t accept DH group ECP_256, it requested MODP_4096
Jan 16 20:28:02 11[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:02 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:02 11[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:03 12[IKE] retransmit 1 of request with message ID 0
Jan 16 20:28:03 12[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:04 13[IKE] retransmit 2 of request with message ID 0
Jan 16 20:28:04 13[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:06 07[IKE] retransmit 3 of request with message ID 0
Jan 16 20:28:06 07[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:08 14[IKE] giving up after 3 retransmits
Jan 16 20:28:08 14[IKE] peer not responding, trying again (2/0)
Jan 16 20:28:08 14[IKE] initiating IKE_SA android[3] to 82.192.xxx.xxx
Jan 16 20:28:08 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jan 16 20:28:08 14[NET] sending packet: from 192.168.13.33[49936] to 82.192.xxx.xxx[500] (1192 bytes)
Jan 16 20:28:08 16[IKE] destroying IKE_SA in state CONNECTING without notification
Now this is seriously starting to get on my nerves. It should work, but it doesn't. At all! Why?

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 16, 2017 10:20 pm
by maznu
6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?
    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 16, 2017 10:53 pm
by hamster
Yes, maznu, exactly what I posted above - I have the same problem with Windows client and even more strange problem with Android client.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 18, 2017 3:21 pm
by eldarkt
Hi all, just for stats Azure with IKE2 ("route-based" from azure side) works good without any errors.
Model 951-2n, version 6.38.1

//mrz and Mikrotik staff, I just want to say huge thanks for IKE2 implementation = )

Re: Feature Req: IKEv2 server and client

Posted: Thu Jan 19, 2017 4:08 pm
by maw
We are experiencing exactly the same. Radius to Windows Server 2016 Network Policy Server and IKEv2 client is a Windows 10 machine.
6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?
    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 20, 2017 2:31 pm
by mrz
We are experiencing exactly the same. Radius to Windows Server 2016 Network Policy Server and IKEv2 client is a Windows 10 machine.
6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client?
    185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111
	Access Request (1), id: 0x01, Authenticator: f68c0e84765b5b0644e739efb2e947d4
	  Calling Station Attribute (31), length: 10, Value: ......k.
	    0x0000:  b6c6 d3bb c0f5 6b0b
	  Username Attribute (1), length: 11, Value: 10.3.0.31
	    0x0000:  3130 2e33 2e30 2e33 31
user-name radius attribute is equal to clients local-identity, IOS by default puts its ip address as local-identity. Eap username and password for authentication is inside eap message.

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 20, 2017 3:06 pm
by maznu
user-name radius attribute is equal to clients local-identity, IOS by default puts its ip address as local-identity. Eap username and password for authentication is inside eap message.
What a lovely information leak... Thanks for the info, mrz!

Now to build the FreeRADIUS configuration from hell :-)

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 20, 2017 4:13 pm
by msatter
Yes!!!!!! Finally I have IKEv2 working on my Android after more than two days try and error. I used the Wiki to make the setup but many things were confusing and this value was the key to it getting it working: subject-alt-name=IP:10.5.130.6 but then for crying out loud where comes 10.5.130.6 from and the external IP in the example is 2.2.2.2.

I replaced 10.5.130.6 with my reverse hostname and put that also in the certificate and StrongSwan connected instantly or after the second try. I needed to put this in the Advanded tab in IPsec Peer with My ID Type: fqdn and in the field My ID:

When I used the giving /IP firewall filter line I noticed that this was not correct in my opinion and did not work for me. In the Wiki is stated:
add chain=input comment="UDP 500,4500" dst-port=500,4500 in-interface=WAN protocol=udp src-port=500,4500
The change that the traffic is coming in on port: 500,4500 and going out on port 500,4500 at the same time is very small.

I have used now the Any. port field:
add chain=input comment="UDP 500,4500" port=500,4500 in-interface=WAN protocol=udp
My config settings:
/certificate
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted
 #		NAME           COMMON-NAME		SUBJECT-ALT-NAME                FINGERPRINT
 0 K	I	server1        <external router IP(2.2.2.2)>	DNS:<reverse.domain.name>   c92...
 1 K	I	client1         client1                                           559...
 2 K L A T ca           

/ip ipsec mode-config
add address-pool=vpn-pool address-prefix-length=32 name=cfg1 split-include=<local network(192.168.55.0/24)>
/ip ipsec policy group
add name=group1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512 enc-algorithms=aes-256-cbc pfs-group=modp2048
add auth-algorithms=sha512,sha256 name=proposal-IPSEC pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=server1 dh-group=modp2048 enc-algorithm=\
    aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha512 mode-config=cfg1 my-id=\
    fqdn:reverse.domain.name passive=yes policy-template-group=group1 send-initial-contact=no
/ip ipsec policy
set 0 dst-address=<remote network(192.168.77.0/24)> group=group1 proposal=proposal-IPSEC src-address=0.0.0.0/0

/ip firewall filter
add action=accept chain=input port=500,4500 protocol=udp
add action=accept chain=input connection-state=established,related
In strongSwan I put as Server my reverse.domain.name and the rest as in the Wiki

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 20, 2017 4:32 pm
by mrz
There is no firewall rules mentioned in ike2 example. If you get these rules from other examples then there such configuration is valid.

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 20, 2017 5:02 pm
by msatter
There is no firewall rules mentioned in ike2 example. If you get these rules from other examples then there such configuration is valid.
Using no filter will work when I am connecting within the local network however when coming from outside of the router then nothing is coming in when I don't explicit accept the traffic.

Edit: thanks for updating the Wiki and implementing these great features for us.

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 20, 2017 6:49 pm
by hamster
@mrz, please see logs from RADIUS on my Windows server a few posts back. Connecting client in my case was Windows 10 machine, not IOS, and the problem is exactly the same - Mikrotik router simply does not pass the right information to RADIUS server, hence the login fails.

But then again, I might be wrong. So if anyone here at all has managed to successfully configure IKEv2 + EAP RADIUS with any client, please let us know.

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 20, 2017 7:01 pm
by mrz
User:
Security ID: NULL SID
Account Name: 192.168.13.35
Account Domain: MYDOMAIN
Fully Qualified Account Name: MYDOMAIN\192.168.13.35


This is exactly what I mentioned previously. Account name in this case is local-id from the client (by default IP address if not explicitly specified in client config).

As for other problem, try latest RC version where we fixed EAP length.

Re: Feature Req: IKEv2 server and client

Posted: Fri Jan 20, 2017 9:35 pm
by manbot
Any news about fqdn? When?...


Отправлено с моего iPhone используя Tapatalk

Re: Feature Req: IKEv2 server and client

Posted: Sun Jan 22, 2017 1:36 am
by hamster
@mrz, I'm sorry, I must be missing something here. If this is how this is supposed to work, I kindly ask you to provide us with a short example of a working configuration of IKEv2 + EAP RADIUS and please add a note if there's anything special that needs to be configured on NPS for this to start working.

But I still strongly suspect this is not supposed to work this way. When I set up my IKEv2 connection in my Windows 10 client, I enter a username and a password. This should be a part of MSCHAPv2 inside EAP packets that Mikrotik router should pass along to RADIUS server, which in turn should tell Mikrotik router whether that user/pass combination is valid or not. Regardless of a protocol used between Mikrotik router and clients, RADIUS server still works the same way as always - it expects to receive an username and a password in some form, to be able to authenticate an user, no? And I cannot imagine how a valid username is supposed to be an IP address, especially an internal one, which can be the same for many different clients at once...

Meanwhile pfSense, which is in many ways inferior to Mikrotik, handles this particular case without problems, and also has a nice guide on configuring everything...

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 23, 2017 11:37 am
by mrz
But as I mentioned earlier, username and password IS inside EAP message and authentication is done with data in EAP message.

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 23, 2017 7:25 pm
by hamster
On that, we agree. But, it seems like whatever Mikrotik router actually forwards to RADIUS server is wrong. Look, here's a screenshot of my configuration on NPS, note the enabled EAP-MSCHAPv2.
Image

Now, of course, it's most likely that I am doing something wrong. Can you please, I'll beg you if need be, please, post a sample of a working configuration on Mikrotik side and please add a note if there is anything else that needs to be specifically configured in this case on an otherwise working RADIUS server (Windows NPS)? Please. Or anyone else for that matter. Does anyone here on this forum have a working configuration of IPSec with EAP RADIUS authentication for ROS v6.38.1?

Re: Feature Req: IKEv2 server and client

Posted: Mon Jan 23, 2017 9:41 pm
by mrz
Upgrade to latest RC where EAP message length is fixed.
If it still does not work contact support.

Re: Feature Req: IKEv2 server and client

Posted: Tue Jan 24, 2017 5:10 pm
by Satowist
Sorry for offtop.
Anyone tried install s-2-s between Windows server 2012R2 and Mikrotik with IKE2?

Re: Feature Req: IKEv2 server and client

Posted: Tue Jan 24, 2017 6:34 pm
by maw
We are still receiving client IP address as username when radius request is sent to NPS on Windows after upgrade to v6.39RC17.

Re: Feature Req: IKEv2 server and client

Posted: Tue Jan 24, 2017 6:45 pm
by mrz
@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jan 25, 2017 11:15 am
by maw
@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.
Okay.
Would it be possible for you to provide a config example of a working setup with EAP-Radius to Windows NPS as Hamster requested ealier? I'm not sure how to alter my setup, as we are only seeing this behaviour from RouterOS IKEv2 setup.

Re: Feature Req: IKEv2 server and client

Posted: Sat Jan 28, 2017 11:53 am
by hamster
Dear mrz, this is still not working, even on 6.39rc20. Problem is still exactly the same. Instead of dismissing this issue like you have been doing so far and wasting my time and time of everyone else here, please forward it to someone who can actually see the problem here and take steps in order to fix it. There are multiple users with the exact same problem, so please stop delaying this.

Re: Feature Req: IKEv2 server and client

Posted: Sat Feb 04, 2017 6:37 am
by manbot
Any changes about DNS? Still can't access any remote resources by name and fqdn :(


Отправлено с моего iPhone используя Tapatalk

Re: Feature Req: IKEv2 server and client

Posted: Sat Feb 04, 2017 4:02 pm
by andriys
@maw as it was mentioned many times before, "username" that you see is not username but local-id on the client. Actual username and password used for authentication is in EAP message.
Using local-id as a value of the User-Name RADIUS attribute in the "outer session" sounds wrong. My understanding is that local-id is used during phase1 negotiation, and has nothing to do with user authentication (at least when EAP is in use).

According to the comments in the sample configuration of FreeRADIUS v3 (see raddb/policy.d/filter) the "outer" User-Name attribute should either be exactly the same as the "inner" User-Name attribute, or anonymized, where "anonymized" means one of the following: "anonymous", "anonymous@realm.name" or "@realm.name" (please note the leading "@" in the latter case). I tried to find some normative references that describe such behavior, and the only document I found was RFC5281 (EAP-TTLSv0). However it sounds reasonable to handle other EAP types similarly.

It is rather clear that you're just relaying EAP payload to RADIUS server and do not see what's inside, so the only valid option for you is to use anonymized username in the outer session. It might be surmised that you may still include local-id in there, but only as a realm portion of the User-Name, which may be useful for RADIUS request "routing" (proxying), especially in a case when client software is capable of sending user FQDN as a local ID.

Re: Feature Req: IKEv2 server and client

Posted: Wed Feb 15, 2017 4:01 pm
by mrz
What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.
So in this case for RADIUS to authenticate user-name attribute should be the same as username in eap message.

Strongswan client on android changes local-id automatically when EAP MS-CHAP is used, but IOS will always send IP address (if not configured manually), so on IOS clients you have to manually change local-id to username.

Re: Feature Req: IKEv2 server and client

Posted: Wed Feb 15, 2017 8:15 pm
by andriys
What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.
Are you telling us that RouterOS itself "terminates" the TLS part of EAP-TTLS and only passes EAP/MS-CHAPv2 part to the RADIUS server? That's plain wrong! You should pass the whole EAP session to the RADIUS. TLS part of the EAP-TTLS is meant to authenticate Authenticator (i.e. RADIUS server) to Supplicant (VPN client), and not NAS or VPN server to client.

The "outer" RADIUS session is what NAS or VPN server constructs itself in order to encapsulate EAP payload it receives from the client. So it's under your control what to put into the "outer" session User-Name attribute. Please put what RFC5281 suggests in there.

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 12:44 am
by hamster
Dear andriys, thanks for fighting the good fight. Your fight is now over :)

Mikrotik has fixed the issue. I'm incredibly happy to report that the issue with IKEv2 + RADIUS is now in v6.39rc27 RESOLVED! With the same configuration as before, it suddenly now FOOKIN' WORKS! YISSS! 8)

Edit: I got excited too soon. It works from strongSwan client on Android now, but when connecting from Windows 10 native client, the problem is the same as before. So, in case of strongSwan client, my RADIUS server sees "user-name" property as it should, when connecting from Windows, my RADIUS server sees "user-name" property as an IP address and obviously rejects authentication request. Well, andriys, perhaps the fight isn't over yet, but we're getting there... :)

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 6:13 am
by nz_monkey
Hi Maris and other Mikrotik staff.

Thank you for the recent love you have been giving IPSEC. Even without the IKEv2 additions, the 6.39 branch is already a great improvement on prior versions, I particularly like the addition of showing the Phase2 status in the policy screen. It makes troubleshooting much quicker.

Have you considered aligning your terminology ?

e.g. rename "Peer" tab to "Phase 1" and "Policy" tab to "Phase 2"

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 11:15 am
by mrz
What you are talking about is TTLS. In IOS case outer protocol is TLS and inner protocol is EAP/MS-CHAPv2.
Are you telling us that RouterOS itself "terminates" the TLS part of EAP-TTLS and only passes EAP/MS-CHAPv2 part to the RADIUS server? That's plain wrong! You should pass the whole EAP session to the RADIUS. TLS part of the EAP-TTLS is meant to authenticate Authenticator (i.e. RADIUS server) to Supplicant (VPN client), and not NAS or VPN server to client.

The "outer" RADIUS session is what NAS or VPN server constructs itself in order to encapsulate EAP payload it receives from the client. So it's under your control what to put into the "outer" session User-Name attribute. Please put what RFC5281 suggests in there.
No RouterOS does not terminate, it relays everything to RADIUS.
What I am saying is that mentioned clients here does not use TTLS, but TLS as outer protocol, so RFC5281 is not applicable.

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 11:16 am
by mrz
Dear andriys, thanks for fighting the good fight. Your fight is now over :)

Mikrotik has fixed the issue. I'm incredibly happy to report that the issue with IKEv2 + RADIUS is now in v6.39rc27 RESOLVED! With the same configuration as before, it suddenly now FOOKIN' WORKS! YISSS! 8)

Edit: I got excited too soon. It works from strongSwan client on Android now, but when connecting from Windows 10 native client, the problem is the same as before. So, in case of strongSwan client, my RADIUS server sees "user-name" property as it should, when connecting from Windows, my RADIUS server sees "user-name" property as an IP address and obviously rejects authentication request. Well, andriys, perhaps the fight isn't over yet, but we're getting there... :)
set local-id manually the same as username. As it was mentioned in my previous post strongSwan does that automatically, but other clients does not.

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 11:28 am
by mrz
Hi Maris and other Mikrotik staff.

Thank you for the recent love you have been giving IPSEC. Even without the IKEv2 additions, the 6.39 branch is already a great improvement on prior versions, I particularly like the addition of showing the Phase2 status in the policy screen. It makes troubleshooting much quicker.

Have you considered aligning your terminology ?

e.g. rename "Peer" tab to "Phase 1" and "Policy" tab to "Phase 2"
Currently we do not plan to rename peer and policy.

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 11:34 am
by hamster
mrz, I will gladly do that, if you can tell me where/how in Windows 10 "native client" can I do that? I just want to be able to configure this (otherwise wonderful new addition to ROS) reliably on my user's computers.

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 11:59 am
by andriys
No RouterOS does not terminate, it relays everything to RADIUS.
What I am saying is that mentioned clients here does not use TTLS, but TLS as outer protocol, so RFC5281 is not applicable.
EAP-TLS uses certificates exclusively to authenticate both Authenticator and Supplicant, so I guess you are talking about PEAP here.

In case of PEAP a secure TLS session is established between Supplicant and Authenticator. At this stage a certificate is used to authenticate Authenticator to Supplicant. Supplicant does not provided any proof of identity at this stage. Once the secure TLS session is established EAP-MSCHAPv2 is used inside that session to authenticate Supplicant to Authenticator. I hope this is where we agree with each other.

And here comes a very important part: When I'm talking about the outer RADIUS session I mean exactly this: RADIUS session between VPN server and RADIUS server. It has nothing to do with the TLS session between Supplicant and Authenticator. Those are completely separate!

One more time: the outer RADIUS session is a communication channel between VPN server and RADIUS server. The EAP session is being forwarded to the RADIUS server over this outer RADIUS session, but that's just it. The RADIUS session is being constructed by the VPN server, and Supplicant knowns nothing about this session. It's VPN server who decides what to put into the RADIUS attributes.

In other words it's RouterOS who puts garbage into the User-Name attribute in the outer RADIUS session. Supplicant (i.e. VPN client) has no relation to what's in this session- it's not even aware it exists. What Supplicant puts into the EAP exchange has no relation to what VPN server puts into the outer RADIUS session.

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 1:15 pm
by mrz
In case of PEAP a secure TLS session is established between Supplicant and Authenticator. At this stage a certificate is used to authenticate Authenticator to Supplicant. Supplicant does not provided any proof of identity at this stage. Once the secure TLS session is established EAP-MSCHAPv2 is used inside that session to authenticate Supplicant to Authenticator. I hope this is where we agree with each other.

And here comes a very important part: When I'm talking about the outer RADIUS session I mean exactly this: RADIUS session between VPN server and RADIUS server. It has nothing to do with the TLS session between Supplicant and Authenticator. Those are completely separate!
Yes, but to put username which is used in EAP-MSCHAP as radius user-name we have to parse EAP message, which currently is not done.
mrz, I will gladly do that, if you can tell me where/how in Windows 10 "native client" can I do that? I just want to be able to configure this (otherwise wonderful new addition to ROS) reliably on my user's computers.
It looks like such option does not exist on windows 10.
We will look further into this problem and try to extract username from eap-mschap.

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 16, 2017 1:38 pm
by andriys
Yes, but to put username which is used in EAP-MSCHAP as radius user-name we have to parse EAP message, which currently is not done.
In fact, that is not possible to do (unless you terminate PEAP TLS session on the VPN server instead of passing it through to the RADIUS server, but you said you don't do that a few posts above). So please-please-please just put anonymized user-name (similar to what EAP-TTLS requires) in there. Most of the existing RADIUS servers will be happy to accept that.

Re: Feature Req: IKEv2 server and client

Posted: Sat Feb 18, 2017 11:53 am
by hamster
Tested this with the new v6.39rc33 - still not working.

Re: Feature Req: IKEv2 server and client

Posted: Sat Feb 18, 2017 11:34 pm
by netleak
even when using username in local-id section, in freeradius logs I see this error and can not login:
(5) mschap: ERROR: MS-CHAP2-Response is incorrect
(5) [mschap] = reject
(5) } # authenticate = reject

any help?

Re: Feature Req: IKEv2 server and client

Posted: Mon Feb 20, 2017 7:26 pm
by hamster
@netleak Can you post some more verbose log from your server, or perhaps even better, RADIUS debug logs from Mikrotik?

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 23, 2017 1:08 am
by hamster
Just to update the status of RADIUS problem: I was told by Mikrotik support via email that it will not be fixed yet: "Definately not in next RC, maybe after few versions. At the moment we want to fix more critical problems first."

Re: Feature Req: IKEv2 server and client

Posted: Thu Feb 23, 2017 11:52 am
by mrz
even when using username in local-id section, in freeradius logs I see this error and can not login:
(5) mschap: ERROR: MS-CHAP2-Response is incorrect
(5) [mschap] = reject
(5) } # authenticate = reject

any help?
There are several types of EAP MSCHAP implementations (not to mention that they all are drafts and client or server may implement older draft version)
MS-EAP-Authentication (EAP/MS-CHAPv2) RFC-draft-kamath-pppext-eap-mschapv2-02.txt
PEAPv0/EAP-MSCHAPv2 RFC-draft-dpotter-pppext-eap-mschap-01.txt

In your case selected authentication on freeradius is not compatible with clients authentication algorithm.

Re: Feature Req: IKEv2 server and client

Posted: Fri Feb 24, 2017 12:02 pm
by markom
I am trying to built mikrotik as IKEv2 Server and win phone 10 as client.
reading all over and over
http://wiki.mikrotik.com/wiki/Manual:IP ... 2_RSA_auth
but I cant establish connection,

Does someone see good working example on web ?

Re: Feature Req: IKEv2 server and client

Posted: Mon Feb 27, 2017 8:42 am
by TheD
Hi lads,

I already opened a ticket about this, but I said it can't hurt if I write here as well...

In (quite common) scenario where Mikrotik and client (mobile phone or PC at remote location) have dynamic IP address, you can only use dynamic creation of IPSec policies to get around that issue. I am trying to use split tunnelling using IKEv2 now, and the problem is that routes are advertised to the client using mode config OK, but only policy for first listed subnet in mode config gets created dynamically. Because of that, even though the client has all the routes it can only access the first listed subnet.

Is there a way you could implement dynamic creation of policies for all the subnets listed in mode config if you use "Generate policy" in peer configuration.

That would be epic!

Cheers,

D

Re: Feature Req: IKEv2 server and client

Posted: Mon Feb 27, 2017 10:59 am
by mrz
Problem is not on RouterOS. Some mobile clients do not support multiple subnets.

Re: Feature Req: IKEv2 server and client

Posted: Mon Feb 27, 2017 11:51 am
by TheD
Problem is not on RouterOS. Some mobile clients do not support multiple subnets.
Hi mrz. I'm not sure if I understand why would that be a problem with mobile client. The client still receives all the routes, but Mikrotik doesn't know where to send the traffic because it doesn't have matching IPSec policy.

For example, lets say you have subnets 192.168.8.0/24, 10.1.1.0/24 and 172.16.0.0/20 on the Mikrotik. If you specify these routes in "Mode Config" these routes are advertised to the client and they can be seen in client's routing table. But dynamically created policy is only for subnet that is specified first in the Mode Config i.e. 192.168.8.0/24. If there would be two additional policies created dynamically for 10.1.1.0/24 and 172.16.0.0/20 everything would work perfectly fine.

The situation I described and tested was between OS X Sierra and Mikrotik 6.39rc38, so the client in this case cannot be an issue and I don't see the reason why it would be.

Thanks

Re: Feature Req: IKEv2 server and client

Posted: Mon Feb 27, 2017 12:02 pm
by mrz
Enable ipsec debug logs. Generate supout file and send it to support.

Re: Feature Req: IKEv2 server and client

Posted: Mon Feb 27, 2017 7:51 pm
by TheD
FYI. Support just confirmed the bug (2017022722000338) which will be fixed in next release.

Re: Feature Req: IKEv2 server and client

Posted: Sat Mar 04, 2017 4:46 pm
by msatter
Today I wanted to use my IPSEC IKEv2 connection and that did not work. At home I looked into it and I noticed that the on build-up of the IKEv2 connection some packets were fragmented on UDP and dropped because they have no expected port.

I am on RC41 and my Mikrotik is a RB750Gr3. I am using an Android phone with Strongswan to make te connection.

To solve this connecting problem I have now a dedicated rule in RAW that returns fragmented UDP packets to the rules again. Normally any UDP without the expected port or no port (fragmented) is normally dropped.

Re: Feature Req: IKEv2 server and client

Posted: Fri Mar 10, 2017 1:38 pm
by mrz
Just to update the status of RADIUS problem: I was told by Mikrotik support via email that it will not be fixed yet: "Definately not in next RC, maybe after few versions. At the moment we want to fix more critical problems first."
Fixed in 6.39rc49

Re: Feature Req: IKEv2 server and client

Posted: Fri Mar 10, 2017 1:41 pm
by hamster
Wonderful! I'll test it over the weekend and let let you guys know the result.

Re: Feature Req: IKEv2 server and client

Posted: Sat Mar 11, 2017 12:19 am
by biatche
hi, i wish to get ikev2 server on MT running for the first time as a road warrior setup. clients will be entirely windows 7/10 for now... my only experience is with ipsec/l2tp

1) if i both client and server are dynamic ip (pppoe), how will the certs work? can i use a domain name (CNAME record) like vpn.mydomain.com which is a CNAME pointing to mikrotik cloud address?
2) what firewall rules are needed?
3) also, is site-to-site ikev2 any more reasonable over ipsec tunnels and other vpn methods now?

Re: Feature Req: IKEv2 server and client

Posted: Mon Mar 13, 2017 9:30 am
by netleak
There are several types of EAP MSCHAP implementations (not to mention that they all are drafts and client or server may implement older draft version)
MS-EAP-Authentication (EAP/MS-CHAPv2) RFC-draft-kamath-pppext-eap-mschapv2-02.txt
PEAPv0/EAP-MSCHAPv2 RFC-draft-dpotter-pppext-eap-mschap-01.txt

In your case selected authentication on freeradius is not compatible with clients authentication algorithm.
There is not any option to set MSChapv2 type in FreeRadius and it only supports a single type.
It is commented that it supports Microsoft's implementation and not Cisco's.

I am trying with Ios 10 client.
Has anybody successfully connected it to FreeRadius?

Re: Feature Req: IKEv2 server and client

Posted: Mon Mar 13, 2017 7:25 pm
by emiX
Anyone with working config for IKEv2 eap radius and Windows Server 2012 R2 Network Policy Server Radius ?

With 6.39.rc51 better than rc49 >> radius debug finaaaally shows correct
user-name = "domain/user" from Windows client's EAP-MSCHAPv2
and received Access-Accept with id xxx from 192.168.x.y:1812 (my Windows radius server)
and in 'Policies' there is successfully generated Policy for client dst.address IP (>> but just for a while because on Windows client there is error..see below)
and on Windows radius server logs there is Audit Success with grant Full Access

but still not working, on Windows client there is error >> The error code returned on failure 13838 (google just say Error processing Signature payload. / ERROR_IPSEC_IKE_PROCESS_ERR_SIG) but on Mikrotik logs everything looks fine.
and iPhone iOS not working as well >> Radius grant access but in difference to Windows client there is no dynamic Policy generated.

Please help...

Windows Network Policy for Mikrotik IKEv2 match correct with settings: in Conditions NAS Port Type > Virtual (VPN)
and in Settings no Standard RADIUS attributes (no PPP and no Framed)

New edit: Android strongSwan client with IKEv2 EAP username/password type and + ca certificate works correct. Server identity option must be set to fqdn dns name from ca certificate. Same configuration on iPhone iOS not works.

Re: Feature Req: IKEv2 server and client

Posted: Tue Mar 14, 2017 2:23 am
by hamster
Yep, same problem here as emiX is having. At first I was getting "no proposal chosen" errors, but after setting PFS group to "none" (which is kinda moronic default in Windows, but you can "conveniently" change that via PowerShell), it "established" the connection, but Windows asked me for username and password 2 more times before saying nope, f you, "Error processing Signature payload".

Soo... Good try Mikrotik, getting closer there, but nope, still not working.

Re: Feature Req: IKEv2 server and client

Posted: Wed Mar 15, 2017 5:46 am
by mrz
Android client supports eap-only. Windows and ios does not. Maybe that is the problem. For itto work you need valid certificate on ipsec server

Re: Feature Req: IKEv2 server and client

Posted: Wed Mar 15, 2017 11:46 am
by hamster
It's true, I have self signed certificate on the router, generated by the router itself, but I have also installed this certificate on my Windows 10 client to user's and computer's Trusted Root Cert. Authorities "store", so Windows recognises the router's certificate as perfectly valid... So I don't think it's a problem with certificate itself. Now what should be the next step in making this work?

Re: Feature Req: IKEv2 server and client

Posted: Wed Mar 15, 2017 12:52 pm
by emiX
Android client supports eap-only. Windows and ios does not. Maybe that is the problem. For itto work you need valid certificate on ipsec server
What does 'itto work' and 'valid certificate' mean for me ? I want at least one functional method for IKEv2 to authenticate Win a iOS clients with Radius based on Windows Network Policy Server... Is it so much for Mikrotik to make it compatible and available for us? There is no reliable method nor config over the months/years what IKEv2 exists.

BTW: Android 6 and higher native IKEv2 client support just certificate or passphrase method, which is also incomprehensible evolution of that 'most' widely client system on the world.

Re: Feature Req: IKEv2 server and client

Posted: Wed Mar 15, 2017 2:19 pm
by mrz
It means that you need certificate on radius server and on ipsec server.

And native android client does not supprt ike2 even in android 7. stronswan client is used instead and it suports eap mscap

Re: Feature Req: IKEv2 server and client

Posted: Wed Mar 15, 2017 3:55 pm
by hamster
Certificate is now also installed on the NPS (RADIUS) server and the result is exactly the same as before.

Re: Feature Req: IKEv2 server and client

Posted: Wed Mar 15, 2017 7:59 pm
by emiX
Certificate is now also installed on the NPS (RADIUS) server and the result is exactly the same as before.
hamster is right, same in my environment with Windows Radius even with certificate installation.
In new 6.39rc54 no change = same problem with error 13838 in Windows client and not working iOS IKEv2 with username authentication.

Re: Feature Req: IKEv2 server and client

Posted: Thu Mar 16, 2017 5:11 am
by mrz
enable debu logs, generate supout file after tunnel fails and send file to suport

Re: Feature Req: IKEv2 server and client

Posted: Thu Mar 16, 2017 10:54 am
by maw
Yep, same problem here as emiX is having. At first I was getting "no proposal chosen" errors, but after setting PFS group to "none" (which is kinda moronic default in Windows, but you can "conveniently" change that via PowerShell), it "established" the connection, but Windows asked me for username and password 2 more times before saying nope, f you, "Error processing Signature payload".

Soo... Good try Mikrotik, getting closer there, but nope, still not working.

We are experiencing exactly this issue too.

Re: Feature Req: IKEv2 server and client

Posted: Thu Mar 23, 2017 5:11 pm
by maw
Is there any progress with this problem?

Re: Feature Req: IKEv2 server and client

Posted: Thu Mar 23, 2017 5:15 pm
by mrz
As mentioned several times before, send a supout file with enabled ipsec debug logs to support. We cannot guess what is not working for you.

Re: Feature Req: IKEv2 server and client

Posted: Mon Apr 03, 2017 12:30 pm
by magneto
Hi,
What about 6.39rc58 ?
Has anyone tried Windows 7 native client + mikrotik IKEv2 server (6.39rc58) + Microsoft NPS ?
Does it work?

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 05, 2017 11:02 am
by GShock
I receiving "Error proccessing Signature payload". And I don`t know how to solve it. (Windows 10<->hap-lite<->NPS 2k12R2) (Win10 Mobile not working in any scenarious)
IKEv2 with authentication via RSA Signature now working more stable.
(6.39rc62)

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 05, 2017 6:21 pm
by magneto
I have the same problem wheter I use EAP-MSCHAPv2 method with certificate on mikrotik server or EAP-PEAP with certificate on Microsoft NPS.
I'm using Widnows 7 as a client. Certificates are correct because they work fo SSTP connection on the same mikrotik server and Windows client.

Re: Feature Req: IKEv2 server and client

Posted: Thu Apr 06, 2017 3:40 pm
by magneto
I've just got an info from MT support that the problem was found and will be fixed in next RC.
Hope this is last problem ;)

Re: Feature Req: IKEv2 server and client

Posted: Thu Apr 06, 2017 5:51 pm
by emiX
I have the same problem wheter I use EAP-MSCHAPv2 method with certificate on mikrotik server or EAP-PEAP with certificate on Microsoft NPS.
I'm using Widnows 7 as a client. Certificates are correct because they work fo SSTP connection on the same mikrotik server and Windows client.
"SSTP connection" with verify-client-certificate=yes ??? I don't think so, but if yes, please send your config with working NPS.

Re: Feature Req: IKEv2 server and client

Posted: Thu Apr 06, 2017 6:50 pm
by magneto
No, "verify-client-certificate=yes" you can use only for mikrotik to mikrotik connections.
Windows native client doesn't support it. I was talking only about authenticating mikrotik SSTP server.

Re: Feature Req: IKEv2 server and client

Posted: Fri Apr 07, 2017 12:29 pm
by emiX
No, "verify-client-certificate=yes" you can use only for mikrotik to mikrotik connections.
Windows native client doesn't support it. I was talking only about authenticating mikrotik SSTP server.
Okay, but if you use verify-client-certificate=no, you can connect success with any wrong cerfificate if you have correct xychap password :]

Re: Feature Req: IKEv2 server and client

Posted: Fri Apr 07, 2017 12:38 pm
by magneto
There are two things with SSTP. Server authentication and client authentication.
To authenticate server, the server need to have certificate which you can validate using root certificates in local computer store of yur PC.
To authenticate client (Windows client) you have to use PAP,CHAP or MS-CHAPv2. You can't use "verify-client-certificate=yes" because is not supported by Windows and you can't use EAP methods because they are not supported by mikrotik.

Re: Feature Req: IKEv2 server and client

Posted: Tue Apr 11, 2017 10:03 pm
by chris88g4
I made the certificates ca server and client, but i cant make it work on macOS. Also i am getting error no EAP found on the mikrotik log. Anyone who made it IKEv2 with macOS or IOS generally with certificates?

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 12, 2017 8:52 am
by GShock
RC68
Working! I At least I was able to connect from Windows 2012 R2 (has public ip) via IKEv2 (hap lite + NPS Win2012R2 -EAP Authentication)
For desktops (under NAT) I saw in logs:No IKEv1 peer config for 8.8.8.8. not working.
So, for machines with Public IP -working.
Correct me if I`m wrong.

For desktops (under NAT) working IKEv2 with RSA Signature authentication.

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 12, 2017 11:06 am
by magneto
On the newest RC 6.39rc68 it works also when client (Win7) and mikrotik IKEv2 Server are both behind NAT.
Now it's time for testing stability and performance...
One thing which doesnt work for me now is asigning dynamically by RADIUS atributes (I'm using "IP-Framed-pool") VPN pool for IKEv2 clients.
Anyone know how to achieve this?

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 12, 2017 12:11 pm
by magneto
Information from MT support:
"Currently ike2 does not support radius attributes, but we might add this functionality in the future"

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 12, 2017 11:38 pm
by n1am
Hi guys,
doing some experiments on ike2 in these days. Is there a way to assign specific IP address in the VPN pool for a specific user?
I would like to filter vpn traffic by user. Using L2TP/IPSEC this can be done via the l2tp server binding interface, with ike2 there is no interface, only pure routing.

Re: Feature Req: IKEv2 server and client

Posted: Fri Apr 14, 2017 9:17 am
by GShock
In addition. So my Mikrotik has SSL certificate from StartCom. Valid certificate (KLT Status in Certificates), https works perfectly (in green zone) every Windows detect this certificate as trusted certifceate.
I have IKEv2 settings with assigned StartCom`s certificate. As I said earlier Windows 2012 R2 is able to connect via IKEv2 with mentioned certificate. Windows 10, Windows 10 Mobile-not.
With Mikrotik`s self-signed certificates Windows 10 and Windows 10 Mobile is able.
Mikrotik`s server certificate has KIT flag, StartCom`s -KLT.
SSTP with StartCom cert works perfectly

Re: Feature Req: IKEv2 server and client

Posted: Mon Apr 24, 2017 5:40 pm
by hoge
Is there a way to assign a specific IP address for a client by CN from its certificate?

I have a RoadWarrior IKEv2 setup with RSA Signature authentication. Now I'd like to configure a route from the server to one of the clients, so I need to tie a static IP address for that client. I know it's possible to tie an IP by XAuth username, but according to the manual XAuth options aren't available with IKEv2.

Re: Feature Req: IKEv2 server and client

Posted: Mon Apr 24, 2017 5:48 pm
by mrz
Currently it is not possible, but this feature might be implemented in the future.

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 26, 2017 11:33 am
by kennerblick
Sorry for double-post but in the beginners basic there is no reaction:

I create a VPN-Tunnel with IPSec and IKEv2 between Windows 10 (1703) and Mikrotik rb 3011 UiAS-RM (v6.39rc79).
The configuration is made like https://wiki.mikrotik.com/wiki/Manual:I ... rver_Setup.
Certificates are created and imported on the windows client. The client is connected and get a IP from the Mikrotik-Router:

Router: 192.168.83.1/24
VPN-Client: 192.168.83.110
Client behind Router: 192.168.83.30

Ping from VPN-Client to VPN-Router is available.
I can't ping from VPN-Client to clients behind router client.

Whats wrong with my configuration?

Thank you!!

[admin@router] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
192.168.83.1/24 192.168.83.0 ether2-master
1 xxx.xxx.xxx.xxx/30 xxx.xxx.xxx.xxx WAN


[admin@router] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
2 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related log=no log-prefix=""
6 ;;; VPN
chain=input action=accept connection-state=new protocol=udp dst-port=500 log=no
7 chain=input action=accept protocol=udp dst-port=1701 log=no
8 chain=input action=accept protocol=udp dst-port=4500 log=no
9 chain=input action=accept protocol=ipsec-esp log=no
10 chain=input action=accept protocol=ipsec-ah log=no
11 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
12 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=WAN log=no log-prefix=""
13 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""
14 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
15 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=no log-prefix=""


[admin@router] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=""
1 chain=srcnat action=accept src-address=192.168.83.104/29 dst-address=192.168.83.16/28 log=no

[admin@router] /ip ipsec> policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * group=default src-address=0.0.0.0/0 dst-address=0.0.0.0/0 protocol=all proposal=default template=yes
1 DA src-address=0.0.0.0/0 src-port=any dst-address=192.168.83.110/32 dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes sa-src-address=[WAN-SRC-IP] sa-dst-address=[WAN-DST-IP] proposal=default
priority=0 ph2-count=1

[admin@router] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 213.211.236.93 1
1 ADC 192.168.83.0/24 192.168.83.1 bridge 0
2 ADC [WAN-DST-Subnet]/30 [WAN-DST-IP] WAN 0

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 26, 2017 12:12 pm
by mrz
There are a lot of problems:
1. Since you are giving VPN client address from the same subnet as set on LAN, then proxy-arp should be used.
2. Ipsec will not work with firewall rule #11 and #15
3. NAT.
4. Windows firewall.

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 26, 2017 1:11 pm
by kennerblick
Thank you for the list of problems:
1. proxy-arp is activated on bridge and ethernet2-master
2. firewall #11 and #15 is now disabled
3. NAT? you mean masquerade srcnat SRC192.168.83.104/29 DST192.168.83.16/28 ?
4. i can ping the client behind router from the router

is it much better to giving VPN Client address from another subnet?

thank you!

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 26, 2017 1:31 pm
by mrz
Yes, it is recommended to use different subnet for VPN clients.

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 26, 2017 2:47 pm
by kennerblick
Now i have given my VPN-Client IP-address from another subnet. After connecting i must configure a route on the VPN-Client to the VPN-Network manually to successfuly ping the Router and client. Step by step. How can i push the route to the VPN-client from Router?

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 26, 2017 3:11 pm
by mrz
Specify splitnet in modeconf.

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 26, 2017 4:44 pm
by kennerblick
i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?


[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24

Re: Feature Req: IKEv2 server and client

Posted: Thu Apr 27, 2017 9:34 am
by kennerblick
log router:
Message TSi in tunnel mode replaced with config address: 10.0.83.255
Message TSr in tunnel mode replaced with split subnet: 192.168.83.0/24
Message canditate selectors: 192.168.83.0/24 <=> 10.0.83.255

on VPN-Client-Side:

PS C:\WINDOWS\system32> get-vpnconnection

Name : TestVPN
ServerAddress : testvpn.dns.com
AllUserConnection : False
Guid : {E35234652-7320-634A-CDABA-2656A764D1}
TunnelType : Ikev2
AuthenticationMethod : {MachineCertificate}
EncryptionLevel : Required
L2tpIPsecAuth :
UseWinlogonCredential : False
EapConfigXmlStream :
ConnectionStatus : Connected
RememberCredential : True
SplitTunneling : True
DnsSuffix :
IdleDisconnectSeconds : 0


but no route to destination network.

Re: Feature Req: IKEv2 server and client

Posted: Fri Apr 28, 2017 3:36 pm
by kennerblick
workaround:

on the VPN-Client
powershell
Add-VpnConnectionRoute -ConnectionName "VPNConnection" -DestinationPrefix 192.168.83.0/24 -PassThru

then will there is a active route if the vpn-connection is active, also after a reboot of the machine

Re: Feature Req: IKEv2 server and client

Posted: Wed May 03, 2017 6:26 am
by biatche
can someone kindly share a working setup of ikev2+eap+radius?

Re: Feature Req: IKEv2 server and client

Posted: Sat May 13, 2017 5:59 pm
by MikroTikFan
+1 IKEv2

All Cloud Services like Google Cloud, AWS, AZURE need this type to connect VPN

Re: Feature Req: IKEv2 server and client

Posted: Mon May 15, 2017 9:01 am
by ziegenberg
+1 IKEv2

All Cloud Services like Google Cloud, AWS, AZURE need this type to connect VPN
IKEv2 is already there and working. You need to update to the curren channel.

greetings, Daniel

Re: Feature Req: IKEv2 server and client

Posted: Wed May 17, 2017 1:15 pm
by Raice
i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?


[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24
have the same problem, server is not pushing route to client. My client is ROS 6.39.1

Re: Feature Req: IKEv2 server and client

Posted: Wed May 17, 2017 2:34 pm
by mrz
i have insert 192.168.83.0/24 in mode-config for vpn and reconnect the vpn-client but the gateway will not push to them.
Syntax Problem?


[admin@router] /ip ipsec mode-config> print
Flags: * - default
0 * name="request-only"

1 name="cfg1" system-dns=yes static-dns="" address-pool=vpnpool
address-prefix-length=32 split-include=192.168.83.0/24
have the same problem, server is not pushing route to client. My client is ROS 6.39.1
Ipsec is policy based, it is not supposed to push any routes.

Re: Feature Req: IKEv2 server and client

Posted: Wed May 17, 2017 3:22 pm
by Raice
Ipsec is policy based, it is not supposed to push any routes.
Could you please look into my problem?
viewtopic.php?f=2&t=121609

Re: Feature Req: IKEv2 server and client

Posted: Mon May 22, 2017 12:27 pm
by aequitasnl
I apologize if this has been answered before, but I spent about 10 hours already trying to make a working config... Does anyone have a working IKEv2 for road warriors config that I could borrow as my starting point? I'm using ROS v6.38.
Hamster,

No need to apologise. It has taken me ages to get an IKEv2 based RoadWarrior setup working. I can confirm I got this working between Mikrotik and 3 devices, iPad, iPhone and MacBook Pro.

I am using 6.39rc12 and my IPSEC config is below:
/ip ipsec mode-config
set request-only name=request-only
add address-pool=ipsec-pool address-prefix-length=24 name=cfg_priv split-include=0.0.0.0/0,<local subnet> system-dns=\
    yes
  /ip ipsec policy group
set default name=default
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc \
    lifetime=1h name=default pfs-group=modp2048
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=<cert name>_0 comment=IKEv2 dh-group=\
    modp4096 disabled=no dpd-interval=2m enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
    hash-algorithm=sha512 lifetime=1d local-address=<public IP> mode-config=cfg_priv my-id=fqdn:<public URL> \
    passive=yes policy-template-group=default send-initial-contact=no
/ip ipsec policy
set 0 disabled=no dst-address=0.0.0.0/0 group=default proposal=default protocol=all src-address=0.0.0.0/0 template=\
    yes
/ip ipsec user settings
set xauth-use-radius=no
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
Note I found this incredibly finnicky to get working. For example just viewing the Peer config page in webfig causes the remote certificate option to change (!) The EAP Radius doesn't work at all for me - RADIUS sends access accept but iOS clients complain:
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Authentication method did not match
Jan 14 00:08:46 iPad neagent(NetworkExtension)[5207] <Error>: Failed to process IKE Auth packet
So I just use the rsa-signature option and then it works. You must use MobileConfig build a profile to load onto your iOS and MacBook to get the clients properly configured.

Hope this helps.

Achelon
I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.

The solution for me also was to build a profile. I used the Apple Configurator 2 [0] to build a VPN profile for a Macbook running Sierra 10.12.5 against Mikrotik 6.39.1. Using IKEv2 PSK worked fine. I have not tested if PFS makes a difference. It is also possible to create the profiles (XML) by hand if needed[1]. Here is an obfuscated example of my working configuration profile[2].

I hope this will help someone not to waste hours to set the up properly like I did :)

[0] https://itunes.apple.com/us/app/apple-c ... 1037126344
[1] https://developer.apple.com/library/con ... ction.html
[2]
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>IKEv2</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>
				<key>ChildSecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>14</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>DeadPeerDetectionRate</key>
				<string>Medium</string>
				<key>DisableMOBIKE</key>
				<integer>0</integer>
				<key>DisableRedirect</key>
				<integer>0</integer>
				<key>EnableCertificateRevocationCheck</key>
				<integer>0</integer>
				<key>EnablePFS</key>
				<integer>0</integer>
				<key>IKESecurityAssociationParameters</key>
				<dict>
					<key>DiffieHellmanGroup</key>
					<integer>14</integer>
					<key>EncryptionAlgorithm</key>
					<string>AES-256</string>
					<key>IntegrityAlgorithm</key>
					<string>SHA2-256</string>
					<key>LifeTimeInMinutes</key>
					<integer>1440</integer>
				</dict>
				<key>LocalIdentifier</key>
				<string>roadwarrior</string>
				<key>RemoteAddress</key>
				<string>example.com</string>
				<key>RemoteIdentifier</key>
				<string>example.com</string>
				<key>SharedSecret</key>
				<string>XXXXXXXXXXX</string>
				<key>UseConfigurationAttributeInternalIPSubnet</key>
				<integer>0</integer>
			</dict>
			<key>IPv4</key>
			<dict>
				<key>OverridePrimary</key>
				<integer>0</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.XXXX</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>XXXX</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
			<key>UserDefinedName</key>
			<string>IPSEC</string>
			<key>VPNType</key>
			<string>IKEv2</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>Untitled</string>
	<key>PayloadIdentifier</key>
	<string>XXXX</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>XXXX</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

Re: Feature Req: IKEv2 server and client

Posted: Mon May 22, 2017 1:01 pm
by mrz
I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.
It is Apple bug. They do not do rekey correctly when DH group is anything less than 14

Re: Feature Req: IKEv2 server and client

Posted: Mon May 22, 2017 1:12 pm
by aequitasnl
I also had a lot of trouble getting the configuration to work. Initially my connection ran fine but would disconnect every 8 minute when rekeying.
It is Apple bug. They do not do rekey correctly when DH group is anything less than 14
Currently using 14, so that should work?

I was a little to eager to say it worked for me. At the moment it does not disconnect after 8 minutes but after a longer while. Still investigating why, but seems to be rekeying issue as well.

Also I experience the same issue as achelon in that ipsec peer options seem to change randomly when saving (ie: mode-config is reset from cfg1 when I change something else). Is this a known issue? If needed I can try to reproduce it in a clean environment. Where would I need to report bugs like this?

Re: Feature Req: IKEv2 server and client

Posted: Mon May 22, 2017 1:31 pm
by mrz
Where and what exactly you are changing? Tried winbox terminal and webfig, modeconf param stayed unchanged.

Re: Feature Req: IKEv2 server and client

Posted: Mon May 22, 2017 2:03 pm
by aequitasnl
I have not yet pinned it down to a specific setting. I think it might be certificates. I will try to reliably reproduce this so I know for sure which setting and report back here.

Re: Feature Req: IKEv2 server and client

Posted: Mon May 22, 2017 2:19 pm
by mrz
It is better to report to support not here in forum.

Re: Feature Req: IKEv2 server and client

Posted: Mon May 22, 2017 2:43 pm
by aequitasnl
I figured since I don't have paid support I had to use to the forums. But I will forward it to support when I have a proper bugreport.

Re: Feature Req: IKEv2 server and client

Posted: Tue May 23, 2017 12:03 am
by aequitasnl
I got a stable ipsec connection now for a while and am considering my problem solved. So I figure my assumption about proposals was wrong. I had the default proposal configured with modp1024 and another with modp2048, figuring it would select the one that would fit best during the rekeying. But as far as I can tell the default proposal is always used or a policy needs to be created instead. Somehow I totally overlooked the 'policy template group' option in peers to link the two together.

Re: Feature Req: IKEv2 server and client

Posted: Thu Jun 08, 2017 7:35 pm
by Caci99
Guys, a dumb question, but ... how can I understand if I'm using IKEv2 or not? :)

Re: Feature Req: IKEv2 server and client

Posted: Fri Jun 09, 2017 12:44 pm
by mrz
When you set exchange-mode=ike2 :)

Re: Feature Req: IKEv2 server and client

Posted: Fri Jun 09, 2017 10:41 pm
by Caci99
When you set exchange-mode=ike2 :)
:lol: got it

Re: Feature Req: IKEv2 server and client

Posted: Fri Jun 16, 2017 4:12 am
by th0massin0
Is it possible to asign static ip for ipsec ike v2 peer?

Re: Feature Req: IKEv2 server and client

Posted: Fri Jun 16, 2017 6:13 am
by mrz
Yes, in latest RC version we have added RADIUS attributes to assign IKE2 addresses.

Re: Feature Req: IKEv2 server and client

Posted: Fri Jun 16, 2017 10:17 am
by th0massin0
Thank you for your reply. Could you tell me if it requires external RADIUS server or is it possible to combine it with user manager (or xauth)?

Re: Feature Req: IKEv2 server and client

Posted: Fri Jun 16, 2017 10:32 am
by mrz
Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jul 19, 2017 1:12 pm
by amilus
Hello
ikev2 eap-radius
OSX and iPhone is work
Windows7 error 13801

I am a wildcard certificate in strongswan no problem
Simply place the intermediate certificate in /etc/ipsec.d/cacerts

My Config
/ip ipsec mode-config
add address-pool=pool name=ikev2 split-include=0.0.0.0/0
/ip ipsec policy group
add name=ikev2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc,3des lifetime=8h pfs-group=\
none
add enc-algorithms=aes-128-cbc,3des lifetime=8h name=ipsec pfs-group=none
add auth-algorithms=sha256 enc-algorithms="" lifetime=8h name=ikev2 pfs-group=\
none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=eap-radius certificate= Wildcard.crt \
enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict \
hash-algorithm=sha256 mode-config=ikev2 passive=yes policy-template-group=\
ikev2
/ip ipsec policy
add dst-address=0.0.0.0/0 group=ikev2 src-address=0.0.0.0/0 template=yes
/ip ipsec user settings
set xauth-use-radius=yes

Win connect log
03:08:10 echo: ipsec payload seen: TS_R
03:08:10 echo: ipsec ike auth: respond
03:08:10 echo: ipsec processing payload: ID_I
03:08:10 echo: ipsec peer ID (ADDR4): 192.168.88.23
03:08:10 echo: ipsec processing payloads: NOTIFY
03:08:10 echo: ipsec notify: MOBIKE_SUPPORTED
03:08:10 echo: ipsec my ID (ADDR): 45.32.227.242
03:08:10 echo: ipsec adding payload: ID_R
03:08:10 echo: ipsec adding payload: CERT
03:08:10 echo: ipsec processing payload: NONCE
03:08:10 echo: ipsec adding payload: AUTH
03:08:10 echo: ipsec adding payload: EAP

Re: Feature Req: IKEv2 server and client

Posted: Wed Jul 19, 2017 1:19 pm
by mrz

Re: Feature Req: IKEv2 server and client

Posted: Wed Jul 19, 2017 7:48 pm
by amilus
Thank you for your reply
I am a wildcard certificate, certificate subjectName is * .mydomain.com
I tried setting the FQDN for the domain name ikev.mydomain.com
But still prompt 13801 error

The same certificate in the strongswan everything is normal

Re: Feature Req: IKEv2 server and client

Posted: Thu Jul 20, 2017 10:53 am
by mrz
Wildcard certificates are supported only starting from v6.40rcXX version.

Re: Feature Req: IKEv2 server and client

Posted: Thu Jul 20, 2017 2:06 pm
by amilus
Wildcard certificates are supported only starting from v6.40rcXX version.
Thank you
I have upgraded to 6.40rc41
But the problem still exists

The certificate can be used normally on sstp

What do I need to do with the certificate?

Re: Feature Req: IKEv2 server and client

Posted: Fri Jul 21, 2017 2:00 pm
by dfxer
Hi!

Clarify me, please, interconnection between peer, policy and proposal in ROS during client (rw) connection to MikroTik.
Which peer, policy and proposal is choosing during negotiations in phase1 and phase2 and by what criteria?
What means parameters with comma separated values during negotiation and why f.e. hash-algorithm does not support list values?
What group and template means for policy?

May be on this example:
/ip ipsec peer print
 0   R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
      policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha1
      enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp1024 dpd-interval=disable-dpd
 1   R address=::/0 passive=yes auth-method=rsa-signature certificate=mktik.cert.pem_0 generate-policy=port-strict
      policy-template-group=default exchange-mode=ike2 mode-config=ike2_cfg send-initial-contact=no hash-algorithm=sha256
      enc-algorithm=aes-256,aes-192,aes-128 dh-group=modp2048 dpd-interval=disable-dpd

/ip ipsec policy print
 0 T * group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=default template=yes
 1 T   group=default src-address=0.0.0.0/0 dst-address=192.168.7.0/24 protocol=all proposal=dh14 template=yes

/ip ipsec proposal print
 0  * name="default" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp1024
 1    name="dh14" auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m pfs-group=modp2048
Thank you in advance.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jul 26, 2017 8:42 pm
by amilus
Wildcard certificates are supported only starting from v6.40rcXX version.
I have upgraded to 6.40
But the problem still exists

Re: Feature Req: IKEv2 server and client

Posted: Sun Oct 08, 2017 8:02 pm
by huntah
Hi all,

i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.

Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4

Re: Feature Req: IKEv2 server and client

Posted: Sun Oct 08, 2017 10:47 pm
by ihave
Hi all,

i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel.
I cannot seem to make it work.
I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work.
I think it is a probelm with masquerade.
The split-include for local subnet is working as it should.

Has anyone been able to Route all traffic over IKEv2. How?
I am using ROS 6.40.4
Hi Huntah,

It took me several days of testing to find out that all I had to do was allowing the traffic to pass the Firewall
Modeconfig:
Split Include 0.0.0.0/0

Firewall NAT:
Action: masquerade, Chain: scrnat, Out. Interface: wan-interface (this rule is already there I assume).

Firewall Rules:
Action: accept, Chain: forward, Src. Address: VPN subnet, Dst. Address: 0.0.0/0
Action: accept, Chain: forward, Src. Address: 0.0.0.0/0, Dst. Address: VPN subnet

Re: Feature Req: IKEv2 server and client

Posted: Wed Oct 11, 2017 12:30 am
by huntah
Thank you ihave!

I was missing the forward firewall rule!
Now the internet is working but I have another problem.

From my router where IKEv2 Server is I have several VPN tunels (ovpn, L2TP Client to another branch etc)..
If I use L2TP/IPSEC Server instead of IKEv2 I can reach all the remote (VPN) locations.
If I connect using IKEv2 I cannot. But internet is now working.

I think there is still a masquerade problem..will investigate further..

Re: Feature Req: IKEv2 server and client

Posted: Wed Oct 11, 2017 12:37 am
by huntah
Yes it was a masquerade problem!
I have to masquerade traffic to my other VPN endpoints therefore I have to masquerade on all interfaces not just internet one.

Once again thank you ihave!

Re: Feature Req: IKEv2 server and client

Posted: Fri Oct 20, 2017 5:31 pm
by Valexus
Hello everyone,

i'm trying do get a connection between a Nexus5X with Strongswan and an RB2011 with 6.39.3 over IKEv2 and certificates.
But i'm unable to get a connection. It seems that PH2 is failing.

Router Log:
Unbenannt.PNG
Strongswan Log:
Oct 20 16:12:33 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Android 8.0.0 - OPR4.170623.009/2017-10-05, Nexus 5X - google/bullhead/LGE, Linux 3.10.73-ga51b1600b7f8, aarch64)
Oct 20 16:12:33 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Oct 20 16:12:33 00[JOB] spawning 16 worker threads
Oct 20 16:12:33 06[CFG] loaded user certificate 'CN=vpn-Nexus5X' and private key
Oct 20 16:12:33 06[CFG] loaded CA certificate 'CN=vpn-ca'
Oct 20 16:12:34 06[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 06[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (746 bytes)
Oct 20 16:12:34 09[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (38 bytes)
Oct 20 16:12:34 09[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Oct 20 16:12:34 09[IKE] peer didn't accept DH group ECP_256, it requested MODP_1024
Oct 20 16:12:34 09[IKE] initiating IKE_SA android[22] to 95.91.XXX.XXX
Oct 20 16:12:34 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 20 16:12:34 09[NET] sending packet: from 10.110.148.78[45519] to 95.91.XXX.XXX[500] (810 bytes)
Oct 20 16:12:34 11[NET] received packet: from 95.91.XXX.XXX[500] to 10.110.148.78[45519] (301 bytes)
Oct 20 16:12:34 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Oct 20 16:12:34 11[IKE] local host is behind NAT, sending keep alives
Oct 20 16:12:34 11[IKE] sending cert request for "CN=vpn-ca"
Oct 20 16:12:34 11[IKE] authentication of 'CN=vpn-Nexus5X' (myself) with RSA signature successful
Oct 20 16:12:34 11[IKE] sending end entity cert "CN=vpn-Nexus5X"
Oct 20 16:12:34 11[IKE] establishing CHILD_SA android{15}
Oct 20 16:12:34 11[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Oct 20 16:12:34 11[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (1628 bytes)
Oct 20 16:12:34 12[NET] received packet: from 95.91.XXX.XXX[4500] to 10.110.148.78[43786] (1548 bytes)
Oct 20 16:12:34 12[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH N(INIT_CONTACT) CPRP(ADDR MASK DNS DNS) TSi TSr SA ]
Oct 20 16:12:34 12[IKE] received end entity cert "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG]   using certificate "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG]   using trusted ca certificate "CN=vpn-ca"
Oct 20 16:12:34 12[CFG] checking certificate status of "CN=569504bXXXXX.sn.mynetname.net"
Oct 20 16:12:34 12[CFG] certificate status is not available
Oct 20 16:12:34 12[CFG]   reached self-signed root ca with a path length of 0
Oct 20 16:12:34 12[IKE] authentication of 'CN=569504bXXXXX.sn.mynetname.net' with RSA signature successful
Oct 20 16:12:34 12[CFG] constraint check failed: identity '569504bXXXXX.sn.mynetname.net' required 
Oct 20 16:12:34 12[CFG] selected peer config 'android' inacceptable: constraint checking failed
Oct 20 16:12:34 12[CFG] no alternative config found
Oct 20 16:12:34 12[ENC] generating INFORMATIONAL request 2 [ N(AUTH_FAILED) ]
Oct 20 16:12:34 12[NET] sending packet: from 10.110.148.78[43786] to 95.91.XXX.XXX[4500] (76 bytes)
Can anyone help me whats wrong here?
Thanks in advance!

Kind regards,
Val

Re: Feature Req: IKEv2 server and client

Posted: Fri Oct 20, 2017 6:04 pm
by mrz
Your client expects that server ID should be "569504bXXXXX.sn.mynetname.net", not "android".

Re: Feature Req: IKEv2 server and client

Posted: Fri Oct 20, 2017 6:13 pm
by Valexus
Thanks for your response. I just figured out that i made a copy and paste error on the certificate creation:
I used:
add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]IP[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1
Instead of this:
add common-name=569504bXXXXX.sn.mynetname.net subject-alt-name=[b]DNS[/b]:569504bXXXXX.sn.mynetname.net key-usage=tls-server name=server1
Now it works as expected! Maybe you could include a check if it's really an IP or DNS name and print an error or so.

Re: Feature Req: IKEv2 server and client

Posted: Mon Nov 06, 2017 6:23 am
by vmarkovsky
Can not connect ikev2: iphone ios v10, v11 to MikroTik RouterOS 6.40.4 (hAP ac lite).
I cleared the configuration with:
/system reset-configuration no-defaults=yes
And configured according to https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
The connection reaches "IPsec-SA established" and disconnects:
03:52:21 ipsec ike auth: finish 
03:52:21 ipsec my ID (DER): 192.168.111.11 
03:52:21 ipsec processing payload: NONCE 
03:52:21 ipsec adding payload: CERT 
03:52:21 ipsec adding payload: ID_R 
03:52:21 ipsec adding payload: AUTH 
03:52:21 ipsec prepearing internal IPv4 address 
03:52:21 ipsec prepearing internal IPv4 netmask 
03:52:21 ipsec prepearing internal IPv4 DNS 
03:52:21 ipsec adding payload: CONFIG 
03:52:21 ipsec initiator selector: 192.168.77.254 
03:52:21 ipsec adding payload: TS_I 
03:52:21 ipsec responder selector: 0.0.0.0/0 
03:52:21 ipsec adding payload: TS_R 
03:52:21 ipsec adding payload: SA 
03:52:21 ipsec IPsec-SA established: 192.168.111.242[4500]<->192.168.111.11[4500] spi=0x5abc024 
03:52:21 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.242[4500] spi=0x9b2a9f1 
03:54:21 ipsec sending dpd packet 
03:54:26 ipsec dpd: retransmit 
03:54:31 ipsec dpd: retransmit 
03:54:36 ipsec dpd: retransmit 
03:54:41 ipsec dpd: retransmit 
03:54:46 ipsec dpd: max retransmit failures reached 
03:54:46 ipsec,info killing ike2 SA: 192.168.111.11[4500]-192.168.111.242[4500] spi:62a552307497bfe0:8a809506787dd7fa
The connection from Windows 10 is successful:
04:18:01 ipsec ike auth: finish 
04:18:01 ipsec my ID (DER): 192.168.111.11 
04:18:01 ipsec processing payload: NONCE 
04:18:01 ipsec adding payload: CERT 
04:18:01 ipsec adding payload: ID_R 
04:18:01 ipsec adding payload: AUTH 
04:18:01 ipsec adding payload: NOTIFY 
04:18:01 ipsec   notify: INITIAL_CONTACT 
04:18:01 ipsec prepearing internal IPv4 address 
04:18:01 ipsec prepearing internal IPv4 netmask 
04:18:01 ipsec prepearing internal IPv4 DNS 
04:18:01 ipsec adding payload: CONFIG 
04:18:01 ipsec initiator selector: 192.168.77.253 
04:18:01 ipsec adding payload: TS_I 
04:18:01 ipsec responder selector: 0.0.0.0/0 
04:18:01 ipsec adding payload: TS_R 
04:18:01 ipsec adding payload: SA 
04:18:01 ipsec IPsec-SA established: 192.168.111.10[4500]<->192.168.111.11[4500] spi=0xcc3dd9d 
04:18:01 ipsec IPsec-SA established: 192.168.111.11[4500]<->192.168.111.10[4500] spi=0x9e512210 
04:20:01 ipsec sending dpd packet 
04:20:01 ipsec ike2 reply, exchange: INFORMATIONAL:0 192.168.111.10[4500] 
04:20:01 ipsec payload seen: ENC 
04:20:01 ipsec processing payload: ENC 
04:20:01 ipsec respond: info

What do I need to change in the configuration from the wiki https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth?

Re: Feature Req: IKEv2 server and client

Posted: Fri Nov 10, 2017 6:39 pm
by vmarkovsky
If anyone is able to configure IKEv2 connection for iphone without "Apple Configurator" - please publish your configuration.

Re: Feature Req: IKEv2 server and client

Posted: Wed Nov 22, 2017 4:00 pm
by l0ser140
I can't connect with windows native client if PFS group in proposal set to enything except "none".
I read some info in internet and looks like it's not using by ikev2. Is it true?

Re: Feature Req: IKEv2 server and client

Posted: Wed Nov 22, 2017 7:28 pm
by l0ser140
Also I have trouble this certificates signed with intermediate centers.
Windows client can connect only if intermediate certificate imported into client machine.

Tested with COMODO and LetsEncrypt certs. Any way to use this certs for IKEv2?

Re: Feature Req: IKEv2 server and client

Posted: Thu Dec 14, 2017 7:11 pm
by aivarsm
hi.

i have working settings to blackberry z30 - microtik ikev2. only pki certificates.

Re: Feature Req: IKEv2 server and client

Posted: Sun Dec 17, 2017 11:25 pm
by jwischka
Configuration question:

I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel. The IPSec connection itself is working properly: I connect to the remote peer with the "request only" config, the strongswan server gives me an IP address properly (10.55.48.1/32) with the proper 0.0.0.0/0 destination address policy is generated. The PH2 State shows established, and I have the proper SAs installed on both the server and client side.

The problem comes when I try to send data across the tunnel. Ordinarily with iptables, I would add a policy nat rule and SNAT rule for my subnet and that would be that.

I've added what I think is the correct rule at the top of the NAT table (chain=srcnat action=src-nat to-addresses=10.55.48.1 src-address=192.168.88.0/24 dst-address=0.0.0.0/0 out-interface=wan-network). The rule does match traffic, and I do see traffic coming from 10.55.48.1 on my pfSense box. What doesn't seem to be happening is any traffic returning from the pfSense box.

I've verified that the pfSense settings are correct using a separate strongswan client which can connect and pass traffic out over the remote connection. So I'm certain the problem is with something I'm probably not adding (or not doing correctly) on the Mikrotik side. Can someone point me to where I might be getting things wrong?

Re: Feature Req: IKEv2 server and client

Posted: Thu Mar 15, 2018 7:04 pm
by l0ser140
Is where any way to associate IP assigned to client with username used for login using eap-radius auth?

Re: Feature Req: IKEv2 server and client

Posted: Fri Mar 23, 2018 3:19 am
by digit
Mikrotik to SonicWall IPSEC

On SonicWall there is "Local IKE ID" and "Peer IKE ID". Can't find where to match this on Mikrotik IKEv2 Phase 1

I receive "Payload missing: ID_R" from Mikrotik and phase 1 is not established. Any idea ?

SonicWall
General
######
Site to Site
IKE using Preshared Secret
Shared Secret: 123test
Local IKE ID: Firewall Identifier: 123test
Peer IKE ID: Firewall Identifier: 123test

Proposal
#######
IKE (Phase 1) Proposal

Exchange: IKEv2 Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1

PFS unchecked

Lifetime: 28800

Mikrotik config (only phase 1 for now)
# mar/21/2018 17:47:17 by RouterOS 6.41.3
# software id = 8EQD-U7QY
#
# model = RouterBOARD 750G r3
# serial number = xxxxxxxxxxxxxxxxxxx
/ip ipsec peer
add address=[peer public ip]/32 dh-group=modp1024 enc-algorithm=3des exchange-mode=ike2 lifetime=8h my-id=key-id:123test secret=123test

log obfuscated
LOCAL PUBLIC IP: 1.1.1.1
REMOTE PUBLIC IP: 2.2.2.2

17:34:22 ipsec,debug ===== sending 292 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 296 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 317 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug 2a6775d0ad2aa7887c33fe1d68baf308966f0001
17:34:22 ipsec,debug => shared secret (size 0x80)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => skeyseed (size 0x14)
17:34:22 ipsec,debug 2577407e b774290d 3e39eb4b 707c20d6 230ef24d
17:34:22 ipsec,debug => keymat (size 0x14)
17:34:22 ipsec,debug 624ce5f0 08623e82 87b28d17 27113d02 06b0c7b1
17:34:22 ipsec,debug => SK_ai (size 0x14)
17:34:22 ipsec,debug d2fcfce0 d2cd6146 1abd8150 8d890031 f3bac165
17:34:22 ipsec,debug => SK_ar (size 0x14)
17:34:22 ipsec,debug 5c0762a7 873595aa 5f7da9f2 2ba02666 ad1b4b4a
17:34:22 ipsec,debug => SK_ei (size 0x18)
17:34:22 ipsec,debug 75d1a8e3 954ad272 8c776663 aafd9d01 ecd0f694 b62b2a35
17:34:22 ipsec,debug => SK_er (size 0x18)
17:34:22 ipsec,debug 84fcc538 976c2fdf f442018e 72136907 b0f501d4 54f71a51
17:34:22 ipsec,debug => SK_pi (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => SK_pr (size 0x14)
17:34:22 ipsec,debug 46348d04 fa37f11a 0f1c2387 1db3ccf2 abb4002a
17:34:22 ipsec,info new ike2 SA (I): 1.1.1.1[4500]-2.2.2.2[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb
17:34:22 ipsec,debug c7fc48aefca0df916f8f74eb65c5e0d524f6d98e
17:34:22 ipsec,debug 7976fefe3e79c301fed37cd30b39aee781d297a8
17:34:22 ipsec,debug => auth nonce (size 0x14)
17:34:22 ipsec,debug 9697d571 77b90034 fca051b4 5732754f 68c93263
17:34:22 ipsec,debug => SK_p (size 0x14)
17:34:22 ipsec,debug 5fc31380 08e5989e 23d7a820 1c11dca1 0d328d03
17:34:22 ipsec,debug => idhash (size 0x14)
17:34:22 ipsec,debug bb65a017 adb8e84b c9c15df7 9afca8fa f4d67361
17:34:22 ipsec,debug => my auth (size 0x14)
17:34:22 ipsec,debug xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx
17:34:22 ipsec,debug => (size 0x11)
17:34:22 ipsec,debug 00000011 0b000000 43686162 6f743831 38
17:34:22 ipsec,debug => (size 0x1c)
17:34:22 ipsec,debug 0000001c 02000000 f43d1401 d278b36f 2e186170 7f4cd9be 1c770aef
17:34:22 ipsec,debug => (size 0x44)
17:34:22 ipsec,debug 00000044 00000040 01030405 067d0e4e 0300000c 0100000c 800e0100 0300000c
17:34:22 ipsec,debug 0100000c 800e00c0 0300000c 0100000c 800e0080 03000008 03000002 00000008
17:34:22 ipsec,debug 05000000
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 2d4919b2 2d4919b2
17:34:22 ipsec,debug => (size 0x18)
17:34:22 ipsec,debug 00000018 01000000 07000010 0000ffff 42aba3c2 42aba3c2
17:34:22 ipsec,debug ===== sending 356 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 360 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,debug ===== received 68 bytes from 2.2.2.2[4500] to 1.1.1.1[4500]
17:34:22 ipsec,debug => iv (size 0x8)
17:34:22 ipsec,debug 4559965b 17b5afb3
17:34:22 ipsec,debug => plain payload (trimmed) (size 0x8)
17:34:22 ipsec,debug 00000008 00000026
17:34:22 ipsec,debug decrypted
17:34:22 ipsec,error payload missing: ID_R
17:34:22 ipsec,debug ===== sending 68 bytes from 1.1.1.1[4500] to 2.2.2.2[4500]
17:34:22 ipsec,debug 1 times of 72 bytes message will be sent to 2.2.2.2[4500]
17:34:22 ipsec,info killing ike2 SA: 1.1.1.1[4500]-REMOREIP[4500] spi:5cf4c94886a6b4d4:0a004c31a26458fb

Re: Feature Req: IKEv2 server and client

Posted: Mon Mar 26, 2018 11:26 am
by ovat
I am trying to connect a RB450G to a pfSense 2.4.2 firewall as an IKEv2 client and tunnel all traffic over the tunnel.
.
I am trying to setup the same connection, can you share mikrotik and strongswan ipsec configs?

Re: Feature Req: IKEv2 server and client

Posted: Wed Mar 28, 2018 5:47 pm
by ovat
Perhaps anyone else have working example of IKEv2 connection between mikrotik-client (initiator behind NAT) and Strongswan-server? Looks like virtual ip from strongswan not assign to the mikrotik interface.

Re: Feature Req: IKEv2 server and client

Posted: Sat Apr 21, 2018 10:09 pm
by MikroTikFan
As it was mentioned earlier in this topic
ROS v7.
by mrz » Thu Oct 16, 2014 11:23 am

my grandpa hopes to see ROS7 before he died

when can we test ROS7 with ikev2 server

Interesting, but now is close to two years later, I hope that your Grandpa is still in great condition ;-)
, because we are still waiting for ROS v.7 ;-(

Re: Feature Req: IKEv2 server and client

Posted: Mon Apr 23, 2018 10:16 am
by mrz
@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.

Re: Feature Req: IKEv2 server and client

Posted: Mon Apr 23, 2018 10:52 am
by msatter
Maybe it is the case that you don't have to look under IPv6 for that but under IPv4 in the menu or path. ;-)

Re: Feature Req: IKEv2 server and client

Posted: Mon Apr 23, 2018 6:34 pm
by vmarkovsky
What are you waiting? IKE2 was backported to v6 long time ago.
How to configure ROS v6 IKEv2 to work with Apple IOS?
If configured according to the instruction https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth
then connection reaches "IPsec-SA established" and disconnects.

Re: Feature Req: IKEv2 server and client

Posted: Mon Apr 23, 2018 6:44 pm
by mrz
Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration

Re: Feature Req: IKEv2 server and client

Posted: Tue Apr 24, 2018 7:47 pm
by MikroTikFan
@MikroTikFan
What are you waiting? IKE2 was backported to v6 long time ago.


Thanks’, I thought that this should be in the same place together with other VPN services.
I will try to follow instructions

https://wiki.mikrotik.com/wiki/Manual:I ... 2_RSA_auth

Hopefully I will succeed ;-)

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 25, 2018 11:34 am
by regffhh
Hi!
I tried to connect Mikrotik and iPhone, using IKEv2 with rsa certificates
All config from wiki, and it doesn't work :(
When push to connect vpn it instantly breaks...
log:
08:27:10 ipsec,info new ike2 SA (R): x.x.x.x[500]-y.y.y.y[500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79
08:27:10 ipsec,error EAP not configured
08:27:10 ipsec,info killing ike2 SA: x.x.x.x[4500]-y.y.y.y[4500] spi:b28322b0e9c7ed28:bf5a4127e3c4fd79
Sorry for my english...

Re: Feature Req: IKEv2 server and client

Posted: Wed Apr 25, 2018 11:51 am
by regffhh
Hi!

Re: Feature Req: IKEv2 server and client

Posted: Fri May 11, 2018 1:45 am
by vmarkovsky
Did you configured IOS and ROS as stated in these notes?
https://wiki.mikrotik.com/wiki/Manual:I ... figuration
Thank you! It works now. IPhone successfully connected via ikev2.
In Wiki, there was an update on the installation of the certificate:
It is necessary to mark the self-signed CA certificate as trusted on the iOS device. This can be done in Settings -> General -> About -> Certificate Trust Settings menu.
I think the reason of the disconnection was this.

Re: Feature Req: IKEv2 server and client

Posted: Fri May 11, 2018 3:10 am
by vmarkovsky
Currently no, User Manager currently does not support EAP so you will need external RADIUS. And xauth is not compatible with ike2.
In Wiki said: "Note: Currently RouterOS does not support any of EAP authentication methods".
RouterOS now supports the authentication for IKEv2 server by EAP passthrough to a external RADIUS server?

Re: Feature Req: IKEv2 server and client

Posted: Mon May 14, 2018 10:22 am
by mrz
Yes, EAP pasthrough to external RADIUS is supported.

Re: Feature Req: IKEv2 server and client

Posted: Fri Jun 29, 2018 8:07 pm
by martr84
Good Afternoon,

I've setup ike2 with eap-radius and all is working fine on apple ios devices however i cant seem to get it to work on a windows 10 client. Has anyone got this confirmed as working with windows 10?

if so, if anyone has any pointers they would be greatly appreciated.

Thanks
Martin.

Re: Feature Req: IKEv2 server and client

Posted: Sun Jul 22, 2018 1:03 pm
by markwien
Yes, EAP pasthrough to external RADIUS is supported.
correct i made it work for me... works with iOS, apple, windows and strongswan. assigning an static ip via radius works too.

Re: Feature Req: IKEv2 server and client

Posted: Wed Jul 25, 2018 12:54 pm
by martr84
Hi mark,

I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?

Thanks
Martin

Re: Feature Req: IKEv2 server and client

Posted: Fri Jul 27, 2018 8:16 pm
by markwien
Hi mark,

I’ve got another thread about this open in the general forum, but did you use a third party ca or your own? I want to use a third party ca and can’t get it to work without installing the intermediate cert on the windows clients. if you did use a third party ca which one?

Thanks
Martin
i made it with self signed CA...

Re: Feature Req: IKEv2 server and client

Posted: Mon Sep 03, 2018 12:25 pm
by plhappy
Hello everyone, I configured the ikev2 server using win10 1803 <17134.228> and ros 6.42.7, and do it manually according to "https://wiki.mikrotik.com/wiki/Manual:I ... entication".

However, win10 can't log in, prompting "IKE can't find a valid computer certificate". Similarly, L2TP/IPsec and SSTP are normal. For this rsa signature authentication method, please give me an example configuration? I am very grateful.

Also, can I log in to ikev2 using "pre-shared key + username"?

Re: Feature Req: IKEv2 server and client

Posted: Mon Sep 03, 2018 1:34 pm
by mrz
It sounds like you did not import certificates properly to Windows trusted source.

Regarding PSK, you can set it up between two MT devices, Windows does not allow PSK.

Instead you need RADIUS server with EAP support and set up EAP authentication.